Volerion logoVolerion
Volerion logoVolerion

Argo Workflows Plaintext Exposure of Artifact Repository Credentials Vulnerability

Vulnerability

A vulnerability exists in Argo Workflows versions prior to 3.6.12 and in the 3.7.0 to 3.7.2 range, where artifact repository credentials are logged in plaintext by the workflow-controller. This exposure occurs in the workflow-controller pod logs, which can be accessed by users with permission to read pod logs in the same namespace. The plaintext credentials can be used to access the artifact repository, potentially allowing an attacker to steal, delete, or modify repository data.

Impact

Exploitation of this vulnerability allows for the extraction of plaintext artifact repository credentials from the workflow-controller logs. This access can lead to unauthorized actions such as stealing, deleting, or modifying artifacts stored in the repository.

Remediation

Users can update to Argo Workflows version 3.6.12 or 3.7.3 to address this vulnerability. Instructions for updating can be found in the Argo Workflows GitHub repository.

Added: Oct 14, 2025, 3:18 PM
Updated: Oct 14, 2025, 11:18 PM

Vulnerability Rating

Custom Algorithm
spread
4.5
impact
6.3
exploitability
5.1
remediation
7.7
relevance
0.7
threat
3.2
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.