8.2
CVE-2026-42294
- EPSS 0.61%
- Veröffentlicht 09.05.2026 03:45:48
- Zuletzt bearbeitet 30.06.2026 03:19:36
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Argoproj ≫ Argo Workflows SwPlatformgo Version < 3.7.14
Argoproj ≫ Argo Workflows SwPlatformgo Version >= 4.0.0 < 4.0.5
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.61% | 0.446 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 8.2 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq
https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14
https://access.redhat.com/security/cve/CVE-2026-42294
https://bugzilla.redhat.com/show_bug.cgi?id=2468443
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42294.json