Kubernetes RCE (CVE-2026-28229)

Overview

A critical security vulnerability, tracked as CVE-2026-28229, has been discovered in Argo Workflows, a popular open-source workflow engine for Kubernetes. This flaw allows unauthorized access to sensitive workflow template data. Organizations using affected versions must take immediate action to update their deployments.

Vulnerability Details

In simple terms, this vulnerability is an authentication bypass in the API endpoints that manage WorkflowTemplates and ClusterWorkflowTemplates. Prior to the fixed versions, an attacker could send a request to these endpoints with a malformed or empty authorization token (e.g., Authorization: Bearer nothing) and the system would incorrectly grant access. This flaw allows any user or system with network access to the Argo Workflows server to retrieve these templates without valid credentials.

Potential Impact

The impact of this vulnerability is severe (CVSS score: 9.8, CRITICAL). By exploiting this flaw, an attacker can exfiltrate the complete content of workflow templates. Crucially, these templates often contain embedded Kubernetes Secret manifests, which can include passwords, API keys, certificates, and other sensitive credentials. Leaking this information can lead to a full compromise of your Kubernetes cluster and associated cloud resources. Such credential theft is a common precursor to ransomware attacks and significant data breaches. For examples of real-world incidents stemming from leaked credentials, you can review recent breach reports.

Remediation and Mitigation

The primary and mandatory action is to upgrade your Argo Workflows installation immediately.

1. Immediate Patching:

• If you are using version 4.x, upgrade to version 4.0.2 or later.
• If you are using version 3.x, upgrade to version 3.7.11 or later.

2. Verification: After applying the update, verify that the template endpoints now correctly reject requests with invalid authorization tokens. Test by attempting to access a template without proper credentials.

3. Additional Security Measures:

• Rotate Exposed Secrets: Assume any secrets stored in workflow templates prior to patching may have been compromised. Proactively rotate all embedded credentials, API keys, and certificates.
• Network Controls: Ensure Argo Workflows servers are not exposed to untrusted networks (like the public internet) and are protected by network policies within your Kubernetes cluster.
• Stay Informed: Regularly monitor for security updates for all your infrastructure components. For the latest on vulnerabilities like this, follow our security news feed.

Failure to patch this vulnerability promptly exposes your organization to a high risk of data theft and system takeover.