CVE-2026-28229 is an incorrect authorization vulnerability (CWE-863) affecting Argo Workflows, an open-source container-native workflow engine for Kubernetes. Specifically, versions >=4.0.0 and <4.0.2, and versions below 3.7.11, expose WorkflowTemplates and ClusterWorkflowTemplates endpoints without proper access control. Any client can send a request with an Authorization header containing a bearer token with the value 'nothing' or empty, bypassing authentication checks. This allows unauthorized retrieval of workflow templates, which may embed sensitive Kubernetes Secret manifests. Such exposure can lead to leakage of critical secrets used in container orchestration and automation workflows. The vulnerability is remotely exploitable over the network without authentication or user interaction, making it highly accessible to attackers. The flaw was addressed and fixed in Argo Workflows versions 4.0.2 and 3.7.11 by enforcing proper authorization checks on these endpoints. No known exploits are currently reported in the wild, but the high CVSS score of 9.8 reflects the potential impact and ease of exploitation. This vulnerability undermines the confidentiality, integrity, and availability of workflow configurations and secrets managed by Argo Workflows in Kubernetes environments.

The impact of CVE-2026-28229 is critical for organizations using vulnerable versions of Argo Workflows. Unauthorized access to WorkflowTemplates and ClusterWorkflowTemplates can lead to exposure of embedded Kubernetes Secrets, which may include credentials, tokens, or other sensitive data. This can enable attackers to escalate privileges, move laterally within Kubernetes clusters, or compromise containerized applications orchestrated by Argo Workflows. The integrity of workflow definitions can be undermined if attackers modify or misuse the retrieved templates. Availability may also be affected if attackers disrupt workflow execution by manipulating or leaking sensitive configuration data. Given the widespread adoption of Kubernetes and Argo Workflows in cloud-native environments, this vulnerability poses a significant risk to cloud service providers, enterprises, and DevOps teams globally. The ease of exploitation without authentication increases the likelihood of automated scanning and attacks, potentially leading to data breaches, service disruptions, and compliance violations.

To mitigate CVE-2026-28229, organizations should immediately upgrade Argo Workflows to version 4.0.2 or later, or 3.7.11 or later, where the authorization checks on WorkflowTemplates endpoints are properly enforced. Until upgrades can be applied, restrict network access to Argo Workflows API endpoints using network policies, firewalls, or API gateways to limit exposure to trusted users and systems only. Implement strong Kubernetes Role-Based Access Control (RBAC) policies to minimize permissions granted to service accounts and users interacting with Argo Workflows. Regularly audit workflow templates and embedded secrets to ensure no sensitive data is unnecessarily exposed. Monitor logs and network traffic for unusual access patterns to the WorkflowTemplates endpoints. Consider using secrets management solutions external to workflow templates to reduce secret exposure risk. Finally, integrate vulnerability scanning and continuous security assessments into the CI/CD pipeline to detect and remediate similar issues proactively.