Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated workflow submitter (PR:L) over the API (AV:N); AC:H because a specific referenced-template + artifact-GC configuration is required; privileged pod escapes to the node (S:C) with full C/I/A impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 3.7.15 and 4.0.6, the allow-list fix for CVE-2026-31892 is incomplete because workflow/util/merge.go ValidateUserOverrides and SanitizeUserWorkflowSpec walk only the top-level fields of WorkflowSpec via reflection, and WorkflowSpec.ArtifactGC is allow-listed wholesale; the struct behind that field, WorkflowLevelArtifactGC, has a PodSpecPatch sub-field whose contents flow unmodified into util.ApplyPodSpecPatch on the artifact-GC pod, the same sink the original fix closed for WorkflowSpec.PodSpecPatch, so a user submitting a Workflow under templateReferencing: Strict or Secure (against a referenced WorkflowTemplate that declares an output artifact and setting spec.artifactGC.strategy: OnWorkflowCompletion) can still inject an arbitrary strategic merge patch into the artifact-GC pod, including hostPath volumes, privileged: true, arbitrary image and command, and hostNetwork: true, defeating the stated purpose of Strict/Secure reference mode. This issue is fixed in versions 3.7.15 and 4.0.6.
Articles & Coverage 1
AnalysisAI
Privilege escalation in Argo Workflows before 3.7.15 and 4.0.6 lets a low-privileged user who can submit Workflows bypass the Strict/Secure templateReferencing protections and inject an arbitrary strategic-merge PodSpecPatch into the artifact garbage-collection pod. Because the fix for CVE-2026-31892 only walked top-level WorkflowSpec fields and allow-listed WorkflowSpec.ArtifactGC wholesale, its nested WorkflowLevelArtifactGC.PodSpecPatch flowed unmodified into util.ApplyPodSpecPatch, allowing an attacker to spawn a pod with privileged: true, hostPath volumes, hostNetwork: true, and an attacker-chosen image and command. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated user with rights to submit a Workflow (CVSS PR:L) that references a WorkflowTemplate under templateReferencing: Strict or Secure mode, where that referenced WorkflowTemplate declares an output artifact AND the submitted workflow sets spec.artifactGC.strategy: OnWorkflowCompletion; the malicious payload is placed in the nested spec.artifactGC.podSpecPatch (WorkflowLevelArtifactGC.PodSpecPatch) field. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuinely high-impact issue but a conditional, authenticated one, not a spray-and-pray internet exploit. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant with permission only to submit Workflows references a hardened WorkflowTemplate (Strict/Secure mode) that declares an output artifact, and sets spec.artifactGC.strategy: OnWorkflowCompletion plus a spec.artifactGC.podSpecPatch containing privileged: true, a hostPath mount of the node root, hostNetwork: true, and an attacker image and command. When the workflow completes, the controller creates the artifact-GC pod with the injected patch, giving the attacker a privileged container on a cluster node for host filesystem access and lateral movement. … |
| Remediation | Vendor-released patch: upgrade to Argo Workflows 3.7.15 (3.x users) or 4.0.6 (4.x users), per GHSA-48p8-g2fx-3wwm and fix commits 277e9cef0ad16d7eaaab253573d0695951a65dbd and 358cc3968c8f06f1be0967e41df191088db0b662; these add validation-time rejection and sanitization of ArtifactGC.PodSpecPatch, ArtifactGC.ServiceAccountName, and ArtifactGC.PodMetadata. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Argo Workflows deployments and identify versions prior to 3.7.15 (v3 track) or 4.0.6 (v4 track); audit RBAC policies to determine which users and service accounts currently have permission to submit workflows. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45029