Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft

Our research examines the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign. Across both cases, the actor abused trusted CI/CD and release workflows to steal credentials at scale...

CVE-2026-45226

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds...

CVE-2026-45226

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds...

CVE-2026-45226 Heym < 0.0.21 Authorization Bypass in Workflow Execution

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds...

CVE-2026-45226

CVE-2026-45226 affects Heym before 0.0.21 and describes an authorization bypass in workflow execution. Authenticated users can reference victim workflow UUIDs to load and execute those workflows via attacker‑controlled execution paths, potentially exposing victim outputs and triggering nodes with...

BIT-ARGO-WORKFLOWS-2026-42297 Argo Workflows Is Missing Authorization in Sync ConfigMap Provider

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider server/sync/synccm.go performs zero authorization checks on all CRUD operations create, read,...

BIT-ARGO-WORKFLOWS-2026-42296 Argo Workflows has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...

BIT-ARGO-WORKFLOWS-2026-42295 Argo Workflows: Exposure of artifact repository credentials

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Gi...

BIT-ARGO-WORKFLOWS-2026-42294 Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the...

BIT-ARGO-WORKFLOWS-2026-42183 Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization causes a panic denial of service for SSO users whose claims match a...

GHSA-389R-GV7P-R3RP vulnerabilities

Vulnerabilities for packages: kots, external-secrets-operator, trivy, cerbos, k9s, argo-cd, wolfictl, syft, pulumi, rancher-fleet, act, pulumi-language-yaml, kargo, flux-image-automation-controller, pulumi-language-java, tfsec, apko, gitlab-runner, steampipe, pulumi-kubernetes-operator, grafana,...

CVE-2026-45022 vulnerabilities

Vulnerabilities for packages: terragrunt-fips, nemo, bom, steampipe, gitlab-rails-ce-fips, flux, skaffold, external-secrets-operator, redpanda-console, amazon-ssm-agent, cloudbeat-fips, rancher-fleet-fips, tfsec, witness, chainloop-cli, chainloop-cli-fips, melange, goreleaser, coder-fips, argo-cd...

GHSA-389R-GV7P-R3RP vulnerabilities

Vulnerabilities for packages: terragrunt-fips, nemo, bom, steampipe, gitlab-rails-ce-fips, flux, skaffold, external-secrets-operator, redpanda-console, amazon-ssm-agent, cloudbeat-fips, rancher-fleet-fips, tfsec, witness, chainloop-cli, chainloop-cli-fips, melange, goreleaser, coder-fips, argo-cd...

PT-2026-40272

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...

Heym 安全漏洞

Heym is an open-source AI-native workflow automation platform developed by heymrun. Versions of Heym prior to 0.0.21 contained security vulnerabilities. These vulnerabilities stemmed from authorization bypasses during workflow execution, allowing authenticated users to execute arbitrary workflows...

PT-2026-40273

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider server/sync/sync cm.go performs zero authorization checks on all CRUD operations create, read,...

PT-2026-40270

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the...

PT-2026-40269

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization causes a panic denial of service for SSO users whose claims match a...

PT-2026-40271

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Gi...

PT-2026-40451

Name of the Vulnerable Software and Affected Versions Heym versions prior to 0.0.21 Description An authorization bypass exists in workflow execution allowing authenticated users to execute arbitrary workflows. By referencing victim workflow UUIDs without proper access validation, attackers can...