HIGH🇵🇱 Wersja polska

CVE-2026-40886

CVSS 7.7v3.1pub. 2026-04-23upd. 2026-06-30

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
  • Argoproj Argo Workflows

    APP
    Argoproj
    3.6.5 – 3.6.193.7.0 – 3.7.14 (bez)4.0.0 – 4.0.5 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2026-28229CRITICAL9.8PL ✓ten sam produkt

Argo Workflows: nieautoryzowany dostęp do szablonów workflow i wykradanie sekretów

CVE-2026-42296HIGH8.1ten sam produkt

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete...

CVE-2026-42295HIGH8.5ten sam produkt

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete...

CVE-2026-42294HIGH8.2ten sam produkt

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete...

CVE-2026-42297HIGH8.5ten sam produkt

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete...