1037 matches found
CVE-2026-45226 Heym < 0.0.21 Authorization Bypass in Workflow Execution
Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds...
CVE-2026-45226
Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds...
BIT-ARGO-WORKFLOWS-2026-42297 Argo Workflows Is Missing Authorization in Sync ConfigMap Provider
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider server/sync/synccm.go performs zero authorization checks on all CRUD operations create, read,...
BIT-ARGO-WORKFLOWS-2026-42296 Argo Workflows has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...
BIT-ARGO-WORKFLOWS-2026-42295 Argo Workflows: Exposure of artifact repository credentials
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Gi...
BIT-ARGO-WORKFLOWS-2026-42294 Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the...
BIT-ARGO-WORKFLOWS-2026-42183 Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization causes a panic denial of service for SSO users whose claims match a...
GHSA-389R-GV7P-R3RP vulnerabilities
Vulnerabilities for packages: apko, xeol, flux-image-automation-controller, trivy-operator, gitea, grafana-alloy, grype, argo-cd, melange, external-secrets-operator, src-fingerprint, kargo, argocd-image-updater, grafana, kaniko, kyverno, pulumi-kubernetes-operator, k9s, pulumi-language-java,...
CVE-2026-45022 vulnerabilities
Vulnerabilities for packages: zot, argocd-image-updater, trivy-fips, skaffold, rancher-fleet, kaniko, apko, coder-fips, src-fingerprint, kargo, flux-image-automation-controller, kyverno-fips, pulumi-language-java, snyk-cli, trufflehog-fips, gomplate-fips, syft-fips, gitlab-runner,...
GHSA-389R-GV7P-R3RP vulnerabilities
Vulnerabilities for packages: zot, argocd-image-updater, trivy-fips, skaffold, rancher-fleet, kaniko, apko, coder-fips, src-fingerprint, kargo, flux-image-automation-controller, kyverno-fips, pulumi-language-java, snyk-cli, trufflehog-fips, gomplate-fips, syft-fips, gitlab-runner,...
PT-2026-40272
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...
PT-2026-40269
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization causes a panic denial of service for SSO users whose claims match a...
PT-2026-40273
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider server/sync/sync cm.go performs zero authorization checks on all CRUD operations create, read,...
Heym 安全漏洞
Heym is an open-source AI-native workflow automation platform developed by heymrun. Versions of Heym prior to 0.0.21 contained security vulnerabilities. These vulnerabilities stemmed from authorization bypasses during workflow execution, allowing authenticated users to execute arbitrary workflows...
PT-2026-40271
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Gi...
PT-2026-40270
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the...
PT-2026-40451
Name of the Vulnerable Software and Affected Versions Heym versions prior to 0.0.21 Description An authorization bypass exists in workflow execution allowing authenticated users to execute arbitrary workflows. By referencing victim workflow UUIDs without proper access validation, attackers can...
Comment and Control: Hijacking Agentic Workflows Via Context-Grounded Evolution
Automation platforms such as GitHub Actions and n8n are increasingly adopting so-called agentic workflows, which integrate Large Language Model LLM agents for tasks such as code review and data synchronization. While bringing convenience for developers, this integration exposes a new risk: An...
CVE-2026-44728 vulnerabilities
Vulnerabilities for packages: argo-workflows, vitess...
GHSA-FV7C-FP4J-7GWP vulnerabilities
Vulnerabilities for packages: argo-workflows, vitess...