GHSA-3775-99MW-8RP4 Argo has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure

The fix for CVE-2026-31892 commit 534f4ff blocks podSpecPatch when templateReferencing: Strict is active, but doesn't restrict other WorkflowSpec fields that flow through the same merge path and get applied to pods. A user can set hostNetwork: true, override serviceAccountName, or change...

GO-2025-4024 Argo Workflow may expose artifact repository credentials in github.com/argoproj/argo-workflows

Argo Workflow may expose artifact repository credentials in github.com/argoproj/argo-workflows...

GO-2025-4023 Argo Workflow has a Zipslip Vulnerability in github.com/argoproj/argo-workflows

Argo Workflow has a Zipslip Vulnerability in github.com/argoproj/argo-workflows...

GHSA-C2HV-4PFJ-MM2R Argo Workflow may expose artifact repository credentials

Summary An attacker who has permissions to read logs from pods in a namespace with Argo Workflow can read workflow-controller logs and get credentials to the artifact repository. Details An attacker, by reading the logs of the workflow controller pod, can access the artifact repository, and steal...

Argo Workflow may expose artifact repository credentials

Summary An attacker who has permissions to read logs from pods in a namespace with Argo Workflow can read workflow-controller logs and get credentials to the artifact repository. Details An attacker, by reading the logs of the workflow controller pod, can access the artifact repository, and steal...

GHSA-P84V-GXVW-73PF Argo Workflow has a Zipslip Vulnerability

Vulnerability Description Vulnerability Overview 1. During the artifact extraction process, the unpack function extracts the compressed file to a temporary directory /etc.tmpdir and then attempts to move its contents to /etc using the rename system call, 2. However, since /etc is an already...

Argo Workflow has a Zipslip Vulnerability

Vulnerability Description Vulnerability Overview 1. During the artifact extraction process, the unpack function extracts the compressed file to a temporary directory /etc.tmpdir and then attempts to move its contents to /etc using the rename system call, 2. However, since /etc is an already...

Microsoft: Big Cryptomining Attacks Hit Kubeflow

Microsoft has spotted a new, widespread, ongoing attack targeting Kubernetes clusters running Kubeflow instances, in order to plant malicious TensorFlow pods that are used to mine for cryptocurrency. The Kubeflow open-source project is a popular framework for running machine learning ML tasks in...