CVE-2022-29164 – This vulnerability in Argo Workflows allows aut... (How to Fix)

Q: What is the severity of CVE-2022-29164?

CVE-2022-29164 has a CVSS score of 7.1 (HIGH). This vulnerability in Argo Workflows allows authenticated attackers to create malicious workflows that generate HTML artifacts containing scripts. When victims open these artifacts, the scripts execute with the victim's permissions, enabling unauthorized access to workflow data and management functions. Only authenticated users within the same Kubernetes cluster can exploit this vulnerability.

📋 TL;DR

This vulnerability in Argo Workflows allows authenticated attackers to create malicious workflows that generate HTML artifacts containing scripts. When victims open these artifacts, the scripts execute with the victim's permissions, enabling unauthorized access to workflow data and management functions. Only authenticated users within the same Kubernetes cluster can exploit this vulnerability.

💻 Affected Systems

Products:

Argo Workflows

Versions: Versions before v3.3.1 and v3.2.11

Operating Systems: Any OS running Argo Workflows on Kubernetes

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with HTML artifact generation enabled are vulnerable. Requires attacker to have workflow creation privileges.

📦 What is this software?

Argo Workflows by Argoproj

View all CVEs affecting Argo Workflows →

Argo Workflows by Argoproj

View all CVEs affecting Argo Workflows →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive workflow data, delete critical workflows, or create malicious workflows that compromise the entire Kubernetes cluster.

🟠

Likely Case

Insider threats could exfiltrate workflow metadata, disrupt business processes by deleting workflows, or escalate privileges within the Argo Workflows environment.

🟢

If Mitigated

With proper network segmentation and least privilege access, impact would be limited to workflow data within the attacker's authorized scope.

🌐 Internet-Facing: LOW - Exploitation requires authenticated access to the Kubernetes cluster and Argo Workflows instance.

🏢 Internal Only: HIGH - Insider threats with workflow creation privileges can exploit this against other authenticated users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires insider access, workflow creation privileges, and understanding of the target's Argo Server API endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.3.1 or v3.2.11

Vendor Advisory: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cmv8-6362-r5w9

Restart Required: Yes

Instructions:

1. Backup your workflows and configurations. 2. Update Argo Workflows to v3.3.1 or v3.2.11 using Helm or kubectl. 3. Restart all Argo Workflows components. 4. Verify the update with 'argo version' command.

🔧 Temporary Workarounds

Disable HTML Artifact Access

linux

Restrict access to HTML artifacts by modifying ingress/network policies to block direct artifact access

kubectl apply -f network-policy.yaml # Create network policy restricting artifact access

Implement Content Security Policy

all

Add CSP headers to block inline script execution in HTML artifacts

argo-server --csp "default-src 'self'; script-src 'self'" # Example CSP configuration

🧯 If You Can't Patch

Implement strict RBAC to limit workflow creation and artifact access to trusted users only
Monitor for suspicious workflow creations and HTML artifact generation patterns

🔍 How to Verify

Check if Vulnerable:

Check Argo Workflows version with 'argo version' or 'kubectl get deployment argo-server -o yaml | grep image'

Check Version:

argo version

Verify Fix Applied:

Confirm version is v3.3.1 or v3.2.11+ and test that HTML artifacts no longer execute scripts with API access

📡 Detection & Monitoring

Log Indicators:

Unusual HTML artifact generation patterns
Workflow creations from unexpected users
API calls from artifact URLs

Network Indicators:

HTTP requests from artifact endpoints to Argo Server API
Cross-origin requests from artifact domains

SIEM Query:

source="argo-server" AND (artifact_type="html" OR uri="/artifacts/*.html") AND status=200

📊 Metadata

CVE ID: CVE-2022-29164

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-269

EPSS Score: 0.33% exploit probability (55.7th percentile)

Published: May 6, 2022

Last Updated: February 6, 2026

🔗 References

https://github.com/argoproj/argo-workflows/commit/87470e1c2bf703a9110e97bb755614ce8757fdcc Patch,Third Party Advisory
https://github.com/argoproj/argo-workflows/pull/8585 Patch,Third Party Advisory
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cmv8-6362-r5w9 Third Party Advisory
https://github.com/argoproj/argo-workflows/commit/87470e1c2bf703a9110e97bb755614ce8757fdcc Patch,Third Party Advisory
https://github.com/argoproj/argo-workflows/pull/8585 Patch,Third Party Advisory
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cmv8-6362-r5w9 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29164, you might also want to check these: