Skip to main content

Argo Workflows CVE-2026-42296

HIGH
Incorrect Authorization (CWE-863)
2026-05-04 https://github.com/argoproj/argo-workflows GHSA-3775-99mw-8rp4
8.1
CVSS 3.1 · Vendor: https://github.com/argoproj/argo-workflows
Share

Severity by source

Vendor (https://github.com/argoproj/argo-workflows) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/argoproj/argo-workflows).

CVSS VectorVendor: https://github.com/argoproj/argo-workflows

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 04, 2026 - 21:02 vuln.today
Analysis Generated
May 04, 2026 - 21:02 vuln.today

DescriptionCVE.org

The fix for CVE-2026-31892 (commit 534f4ff) blocks podSpecPatch when templateReferencing: Strict is active, but doesn't restrict other WorkflowSpec fields that flow through the same merge path and get applied to pods. A user can set hostNetwork: true, override serviceAccountName, or change securityContext on their Workflow while referencing a hardened template -- these survive JoinWorkflowSpec and get applied at pod creation.

The check in setExecWorkflow gates on HasPodSpecPatch() only:

go
if woc.controller.Config.WorkflowRestrictions.MustUseReference() && woc.wf.Spec.HasPodSpecPatch() {

Everything else passes through. createWorkflowPod reads hostNetwork, securityContext, serviceAccountName, tolerations, and automountServiceAccountToken from the merged spec and applies them directly to the pod.

JoinWorkflowSpec constructs the merge target from the user's spec and applies the template as a patch -- user fields take priority. When the template doesn't explicitly set a field like hostNetwork (most won't -- false is the zero value and gets omitted), the user's true survives. For fields like securityContext and serviceAccountName, the template-level value takes precedence IF the template explicitly sets it. The bypass applies when the template relies on defaults.

Both Strict and Secure modes are affected. Secure stores the merged spec on first submission, so user overrides get baked into the stored spec and subsequent MustNotChangeSpec comparisons pass.

Steps to reproduce

Tested on v4.0.2 (the CVE-2026-31892 patched version) on kind v0.27.0 / K8s v1.35.0.

bash
# enable strict mode
kubectl patch configmap workflow-controller-configmap -n argo --type merge \
  -p '{"data":{"workflowRestrictions":"templateReferencing: Strict\n"}}'
kubectl rollout restart deployment workflow-controller -n argo

A template that lists network interfaces:

bash
cat <<'EOF' | kubectl apply -n argo -f -
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
  name: netcheck
spec:
  entrypoint: check
  templates:
  - name: check
    container:
      image: alpine:latest
      command: ["/bin/sh", "-c"]
      args: ["ip addr show | grep -E '^[0-9]+:' | cut -d: -f2"]
EOF

Submit a workflow with hostNetwork: true:

bash
cat <<'EOF' | kubectl create -n argo -f -
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: bypass-
spec:
  workflowTemplateRef:
    name: netcheck
  hostNetwork: true
EOF

Pod gets host networking:

$ kubectl get pod -n argo -l workflows.argoproj.io/workflow=bypass-bmg9b -o jsonpath='{.items[0].spec.hostNetwork}'
true

Container without the override sees eth0@if20. With the override, the pod sees the host's full network namespace -- all veth interfaces for other containers on the node.

podSpecPatch IS correctly blocked on the same cluster:

$ kubectl get workflow patched-check-jd272 -n argo -o jsonpath='{.status.message}'
podSpecPatch is not permitted when using workflowTemplateRef with templateReferencing restriction

serviceAccountName override also works -- a workflow with serviceAccountName: argo-server creates a pod running under the argo-server SA instead of the namespace default:

$ kubectl get pod -n argo -l workflows.argoproj.io/workflow=bypass-sa-slmjs -o jsonpath='{.items[0].spec.serviceAccountName}'
argo-server

Tested in Secure mode as well -- same result. Pod created with hostNetwork: true before the workflow errors on an unrelated permission issue.

Impact

A user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. This defeats the stated purpose of the feature.

The practical impact depends on what Kubernetes-level controls are in place. Clusters with PodSecurity admission or OPA/Gatekeeper would independently block some of these (like hostNetwork). Clusters that rely on Argo's Strict mode as the primary enforcement layer are fully exposed.

Fix direction

The check in setExecWorkflow should cover all WorkflowSpec fields that influence pod security posture, not just podSpecPatch. The affected fields that I confirmed in createWorkflowPod: hostNetwork, securityContext, serviceAccountName, automountServiceAccountToken, tolerations, dnsPolicy, schedulerName, hostAliases, volumes.

An alternative approach: when MustUseReference() is true, strip all user-set WorkflowSpec fields except a known-safe allowlist (entrypoint, arguments, labels, annotations) before merging. This avoids a growing denylist as new fields get added.

Affected versions

All versions supporting templateReferencing, including v4.0.2 and v3.7.11 which patched CVE-2026-31892.

AnalysisAI

Argo Workflows v3 (< 3.7.14) and v4 (< 4.0.5) allow users to bypass templateReferencing Strict/Secure mode restrictions by setting WorkflowSpec fields like hostNetwork, serviceAccountName, securityContext, tolerations, and volumes. The incomplete fix for CVE-2026-31892 only blocked podSpecPatch but left other security-sensitive fields unvalidated. Authenticated users with create Workflow permission can inject host network access, switch service accounts, modify pod security contexts, or schedule on control-plane nodes despite referencing hardened WorkflowTemplates. Vendor-released patch: v3.7.14 and v4.0.5 (commit 2727f3f). No public exploit identified at time of analysis, but exploitation is straightforward given detailed reproduction steps in the advisory.

Technical ContextAI

Argo Workflows orchestrates Kubernetes-native workflows by translating Workflow CRDs into pods. The templateReferencing Strict/Secure modes (introduced to enforce hardened WorkflowTemplates) use JoinWorkflowSpec to merge user-submitted Workflow specs with referenced WorkflowTemplates via strategic merge patch. The original CVE-2026-31892 fix added validation in setExecWorkflow that rejected workflows when HasPodSpecPatch() returned true. However, CWE-863 (Incorrect Authorization) occurs because the check is incomplete-WorkflowSpec contains multiple pod-influencing fields (hostNetwork, securityContext, serviceAccountName, automountServiceAccountToken, tolerations, dnsPolicy, schedulerName, hostAliases, volumes) that createWorkflowPod reads directly from the merged spec. When a WorkflowTemplate omits these fields (relying on Kubernetes defaults where false/nil is the zero value), user-supplied overrides survive the merge and get applied to pods. The Go package github.com/argoproj/argo-workflows implements workflow execution logic; affected components are workflow/controller/operator.go (setExecWorkflow, setStoredWfSpec) and workflow/util (JoinWorkflowSpec). The fix introduces ValidateUserOverrides and SanitizeUserWorkflowSpec functions that enforce an allow-list (entrypoint, arguments, labels, annotations) and reject all other fields when MustUseReference() is true.

RemediationAI

Upgrade to Argo Workflows v3.7.14 or v4.0.5 which implement comprehensive validation via ValidateUserOverrides and SanitizeUserWorkflowSpec functions that enforce an allow-list of safe WorkflowSpec fields (entrypoint, arguments, labels, annotations) when templateReferencing restrictions are active. Patched versions available at https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5. Upstream fix commit: https://github.com/argoproj/argo-workflows/commit/2727f3f701677d467dfb5e053c57237cbc752c3c modifies workflow/controller/operator.go to sanitize user specs before merging and rejects workflows containing non-allowed fields. If immediate patching is not feasible, implement compensating controls: (1) Deploy Kubernetes PodSecurity admission with restricted profile enforcement on namespaces running Argo Workflows-this blocks hostNetwork, privileged securityContext, and hostPath volumes but does NOT prevent serviceAccountName switching; trade-off is potential breakage of legitimate workflows requiring elevated privileges. (2) Deploy OPA Gatekeeper or Kyverno policies that validate Workflow CRDs before admission, explicitly denying WorkflowSpec fields outside the allow-list (entrypoint, arguments, metadata) when workflowTemplateRef is present; trade-off is policy maintenance overhead and potential for bypass if policy logic mirrors Argo's incomplete validation. (3) Use Kubernetes RBAC to restrict which ServiceAccounts can be referenced via serviceAccountName through custom admission webhooks; this limits lateral movement but does not address hostNetwork or securityContext bypasses. (4) Disable templateReferencing restrictions and rely solely on namespace-level PodSecurityPolicy/PodSecurity admission; trade-off is loss of Argo-native template enforcement and increased operational complexity. No workaround fully mitigates the vulnerability-patching is the only complete remediation.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

Share

CVE-2026-42296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy