A critical authentication bypass in Argo Workflows allows unauthenticated attackers to exfiltrate sensitive secrets and configuration data from Kubernetes environments.

The application fails to properly validate authorization tokens on WorkflowTemplates and ClusterWorkflowTemplates endpoints. By submitting an "Authorization: Bearer nothing" header, an unauthenticated attacker can bypass security checks to retrieve sensitive template content, including embedded Kubernetes Secret manifests.

The exposure of Secret manifests can lead to the compromise of cloud credentials, database passwords, and API keys, facilitating a full-scale breach of the Kubernetes cluster. With a CVSS score of 9.8, this vulnerability poses a severe risk to the confidentiality and integrity of automated CI/CD pipelines and infrastructure.

Immediate Action: Upgrade Argo Workflows to version 4.0.2, 3.7.11, or later to patch the authentication logic.

Proactive Monitoring: Audit Kubernetes logs for unusual access patterns to the WorkflowTemplates endpoints, specifically looking for requests with malformed or placeholder Bearer tokens.

Compensating Controls: Implement Network Policies to restrict access to the Argo Workflows API to authorized users and services within the cluster.

Public Exploit Available: false

The risk of secret leakage in a containerized environment is a critical threat that can lead to catastrophic downstream compromises. Immediate application of the official patches is required to secure sensitive workflow configurations and prevent unauthorized data exfiltration.