CVE-2026-42294

UNKNOWN 0.0

Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.

CWE	CWE-770
Vendor	argoproj
Product	argo-workflows
Published	May 9, 2026

Stay Ahead of the Next One

Get instant alerts for argoproj argo-workflows

Be the first to know when new unknown vulnerabilities affecting argoproj argo-workflows are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

argoproj / argo-workflows

< 3.7.14 >= 4.0.0, < 4.0.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq github.com: https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965 github.com: https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14 github.com: https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5