{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42297","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-04-26T12:13:55.552Z","datePublished":"2026-05-09T03:42:43.305Z","dateUpdated":"2026-07-06T12:05:04.811Z"},"containers":{"cna":{"title":"Argo Workflows Is Missing Authorization in Sync ConfigMap Provider","problemTypes":[{"descriptions":[{"cweId":"CWE-862","lang":"en","description":"CWE-862: Missing Authorization","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","baseScore":8.5,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H","version":"4.0"}}],"references":[{"name":"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q","tags":["x_refsource_CONFIRM"],"url":"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q"},{"name":"https://github.com/argoproj/argo-workflows/commit/09fff05e0830c14a5e36cc40597ad84881db1ab6","tags":["x_refsource_MISC"],"url":"https://github.com/argoproj/argo-workflows/commit/09fff05e0830c14a5e36cc40597ad84881db1ab6"},{"name":"https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5","tags":["x_refsource_MISC"],"url":"https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5"}],"affected":[{"vendor":"argoproj","product":"argo-workflows","versions":[{"version":">= 4.0.0, < 4.0.5","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-09T03:42:43.305Z"},"descriptions":[{"lang":"en","value":"Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5."}],"source":{"advisory":"GHSA-xchc-cqwg-g76q","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-12T02:22:39.608385Z","id":"CVE-2026-42297","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-12T02:23:10.943Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-05-09T03:42:43.305Z","descriptions":[{"lang":"en","value":"A flaw was found in Argo Workflows. The Sync Service's ConfigMap-backed provider performs zero authorization checks on all create, read, update, and delete operations. This allows any authenticated user, including those using fake Bearer tokens, to manipulate Kubernetes ConfigMaps containing synchronization limits. Such unauthorized access can lead to denial of service or other unauthorized configuration changes within the Kubernetes environment."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-425","description":"Direct Request ('Forced Browsing')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-42297"},{"name":"RHBZ#2468448","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2468448"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42297.json"}],"timeline":[{"lang":"en","time":"2026-05-09T05:01:33.105Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-09T03:42:43.305Z","value":"Made public."}],"title":"Argo Workflows: github.com/argoproj/argo-workflows: Argo Workflows: Unauthorized ConfigMap manipulation due to missing authorization","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-06T12:05:04.811Z"}}]}}