CVE-2026-42294
HIGHArgo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
Title source: cnaDescription
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq
X_Refsource_Misc x_refsource_misc
https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965
X_Refsource_Misc x_refsource_misc
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14
X_Refsource_Misc x_refsource_misc
https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5
Scores
CVSS v3
7.5
EPSS
0.0005
EPSS Percentile
17.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (5)
argoproj/argo-workflows
0 - 3.7.14Go
argoproj/argo-workflows
4.0.0 - 4.0.5Go
argoproj/argo-workflows
< 3.7.14
argoproj/argo-workflows
>= 4.0.0, < 4.0.5
argoproj/argo_workflows
< 3.7.14
Published
May 09, 2026
Tracked Since
May 09, 2026