{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42294","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-04-26T12:13:55.551Z","datePublished":"2026-05-09T03:45:48.180Z","dateUpdated":"2026-06-30T12:08:41.852Z"},"containers":{"cna":{"title":"Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor","problemTypes":[{"descriptions":[{"cweId":"CWE-770","lang":"en","description":"CWE-770: Allocation of Resources Without Limits or Throttling","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq","tags":["x_refsource_CONFIRM"],"url":"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq"},{"name":"https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965","tags":["x_refsource_MISC"],"url":"https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965"},{"name":"https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14","tags":["x_refsource_MISC"],"url":"https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14"},{"name":"https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5","tags":["x_refsource_MISC"],"url":"https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5"}],"affected":[{"vendor":"argoproj","product":"argo-workflows","versions":[{"version":"< 3.7.14","status":"affected"},{"version":">= 4.0.0, < 4.0.5","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-09T03:45:48.180Z"},"descriptions":[{"lang":"en","value":"Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5."}],"source":{"advisory":"GHSA-jcc8-g2q4-9fxq","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T15:47:11.506111Z","id":"CVE-2026-42294","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T15:47:21.683Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-05-09T03:45:48.180Z","descriptions":[{"lang":"en","value":"A flaw was found in Argo Workflows. The Webhook Interceptor, accessible via the /api/v1/events/ endpoint, loads the entire request body into memory before authenticating the request or verifying its signature. A remote attacker can exploit this by sending an extremely large request, causing the Argo Server to allocate excessive memory. This can lead to an Out-Of-Memory (OOM) crash, resulting in a denial of service (DoS) for the affected system."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-42294"},{"name":"RHBZ#2468443","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2468443"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42294.json"}],"timeline":[{"lang":"en","time":"2026-05-09T05:01:16.989Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-09T03:45:48.180Z","value":"Made public."}],"title":"Argo Workflows: github.com/argoproj/argo-workflows: Argo Workflows: Denial of Service via large request body to Webhook Interceptor","workarounds":[{"lang":"en","value":"Upgrade Argo Workflows to version 3.7.14 or later (3.x line) or 4.0.5 or later (4.x line) in affected Red Hat OpenShift AI releases. Red Hat OpenShift AI engineering is expected to deliver updated Data Science Pipelines builds for affected streams (rhoai-2.25, rhoai-3.3, rhoai-3.4).\n\nUntil updated images are available, restrict network access to the Argo Server webhook endpoint (/api/v1/events/) using Ingress rules, firewall policies, or Kubernetes NetworkPolicy so only trusted webhook sources can reach it. Configure request body size limits at the Ingress or load balancer layer (for example, a maximum body size well below multi-gigabyte payloads) to reduce the risk of memory exhaustion from oversized requests."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:08:41.852Z"}}]}}