GHSA-3775-99MW-8RP4 Argo has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure

The fix for CVE-2026-31892 commit 534f4ff blocks podSpecPatch when templateReferencing: Strict is active, but doesn't restrict other WorkflowSpec fields that flow through the same merge path and get applied to pods. A user can set hostNetwork: true, override serviceAccountName, or change...

GO-2025-4023 Argo Workflow has a Zipslip Vulnerability in github.com/argoproj/argo-workflows

Argo Workflow has a Zipslip Vulnerability in github.com/argoproj/argo-workflows...

GO-2025-4024 Argo Workflow may expose artifact repository credentials in github.com/argoproj/argo-workflows

Argo Workflow may expose artifact repository credentials in github.com/argoproj/argo-workflows...

Argo Workflow may expose artifact repository credentials

Summary An attacker who has permissions to read logs from pods in a namespace with Argo Workflow can read workflow-controller logs and get credentials to the artifact repository. Details An attacker, by reading the logs of the workflow controller pod, can access the artifact repository, and steal...

GHSA-C2HV-4PFJ-MM2R Argo Workflow may expose artifact repository credentials

Summary An attacker who has permissions to read logs from pods in a namespace with Argo Workflow can read workflow-controller logs and get credentials to the artifact repository. Details An attacker, by reading the logs of the workflow controller pod, can access the artifact repository, and steal...

GHSA-P84V-GXVW-73PF Argo Workflow has a Zipslip Vulnerability

Vulnerability Description Vulnerability Overview 1. During the artifact extraction process, the unpack function extracts the compressed file to a temporary directory /etc.tmpdir and then attempts to move its contents to /etc using the rename system call, 2. However, since /etc is an already...

Argo Workflow has a Zipslip Vulnerability

Vulnerability Description Vulnerability Overview 1. During the artifact extraction process, the unpack function extracts the compressed file to a temporary directory /etc.tmpdir and then attempts to move its contents to /etc using the rename system call, 2. However, since /etc is an already...

Microsoft: Big Cryptomining Attacks Hit Kubeflow

Microsoft has spotted a new, widespread, ongoing attack targeting Kubernetes clusters running Kubeflow instances, in order to plant malicious TensorFlow pods that are used to mine for cryptocurrency. The Kubeflow open-source project is a popular framework for running machine learning ML tasks in...