In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
No data.
No data.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2021-1738 | In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated. |
 Github GHSA |
GHSA-h563-xh25-x54q | Workflow re-write vulnerability using input parameter |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 13 Feb 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Argoproj
Argoproj argo Workflows |
|
| CPEs | cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:* | |
| Vendors & Products |
Argo-workflows Project
Argo-workflows Project argo-workflows |
Argoproj
Argoproj argo Workflows |
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-04T01:30:09.170Z
Reserved: 2021-08-02T00:00:00
Link: CVE-2021-37914
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2021-08-03T00:15:08.607
Modified: 2026-02-13T21:46:43.743
Link: CVE-2021-37914
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses