Argo Workflows 4.x versions prior to 4.0.5 log all artifact repository credentials in plaintext during artifact operations. Exposed credentials include S3 access keys, GCS service account keys, Azure account keys, and Git passwords. Any user with read access to workflow pod logs can extract these sensitive credentials for unauthorized access to external systems.
Remediation
Upgrade Argo Workflows to the patched version 4.0.5 immediately. Rotate all artifact repository credentials that may have been exposed in workflow logs to prevent unauthorized access to linked services.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.