CVE-2026-42295: CWE-522: Insufficiently Protected Credentials in argoproj argo-workflows
CVE-2026-42295 is a high-severity vulnerability in argoproj argo-workflows versions 4. 0. 0 up to but not including 4. 0. 5. The workflow executor logs artifact repository credentials such as S3 keys, GCS service account keys, Azure keys, and Git passwords in plaintext during artifact operations. Any user with read access to the workflow pod logs can extract these sensitive credentials. This issue has been addressed and patched in version 4. 0. 5.
AI Analysis
Technical Summary
Argo Workflows, a container-native workflow engine for Kubernetes, versions 4.0.0 through 4.0.4 log sensitive artifact repository credentials in plaintext within workflow pod logs. This includes credentials for S3, GCS, Azure, and Git. Because these logs are accessible to users with read permissions on the workflow pods, credential exposure risk exists. The vulnerability is tracked as CWE-522 (Insufficiently Protected Credentials) and has a CVSS 4.0 score of 8.5 (high severity). The issue is patched in version 4.0.5. The product is cloud-hosted, and the vendor manages remediation for the cloud service.
Potential Impact
Exposure of plaintext credentials in workflow pod logs allows any user with read access to those logs to obtain sensitive access keys and passwords. This can lead to unauthorized access to artifact repositories and potentially further compromise of systems relying on those credentials. The vulnerability affects all deployments running affected versions prior to 4.0.5.
Mitigation Recommendations
A patch is available in argoproj argo-workflows version 4.0.5 that resolves this credential logging issue. Users should upgrade to version 4.0.5 or later to remediate this vulnerability. Since this is a cloud-hosted service, the vendor manages remediation for the cloud environment; users should verify with the vendor that their cloud instances are updated. No additional mitigation steps are specified by the vendor advisory.
CVE-2026-42295: CWE-522: Insufficiently Protected Credentials in argoproj argo-workflows
Description
CVE-2026-42295 is a high-severity vulnerability in argoproj argo-workflows versions 4. 0. 0 up to but not including 4. 0. 5. The workflow executor logs artifact repository credentials such as S3 keys, GCS service account keys, Azure keys, and Git passwords in plaintext during artifact operations. Any user with read access to the workflow pod logs can extract these sensitive credentials. This issue has been addressed and patched in version 4. 0. 5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Argo Workflows, a container-native workflow engine for Kubernetes, versions 4.0.0 through 4.0.4 log sensitive artifact repository credentials in plaintext within workflow pod logs. This includes credentials for S3, GCS, Azure, and Git. Because these logs are accessible to users with read permissions on the workflow pods, credential exposure risk exists. The vulnerability is tracked as CWE-522 (Insufficiently Protected Credentials) and has a CVSS 4.0 score of 8.5 (high severity). The issue is patched in version 4.0.5. The product is cloud-hosted, and the vendor manages remediation for the cloud service.
Potential Impact
Exposure of plaintext credentials in workflow pod logs allows any user with read access to those logs to obtain sensitive access keys and passwords. This can lead to unauthorized access to artifact repositories and potentially further compromise of systems relying on those credentials. The vulnerability affects all deployments running affected versions prior to 4.0.5.
Mitigation Recommendations
A patch is available in argoproj argo-workflows version 4.0.5 that resolves this credential logging issue. Users should upgrade to version 4.0.5 or later to remediate this vulnerability. Since this is a cloud-hosted service, the vendor manages remediation for the cloud environment; users should verify with the vendor that their cloud instances are updated. No additional mitigation steps are specified by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T12:13:55.552Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69ffe1b2cbff5d8610ead43f
Added to database: 5/10/2026, 1:38:58 AM
Last enriched: 5/10/2026, 1:39:56 AM
Last updated: 5/10/2026, 10:45:34 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.