SB2026042339 - Multiple vulnerabilities in Argo Workflows
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) NULL pointer dereference (CVE-ID: N/A)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the rbacAuthorization() function in server/auth/gatekeeper.go when handling API requests from SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule. A remote user can send a request to an affected workflow namespace to cause a denial of service.
Exploitation requires SSO RBAC delegation to namespace to be enabled with SSO_DELEGATE_RBAC_TO_NAMESPACE=true.
2) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to read and modify synchronization limits and related ConfigMaps.
The vulnerability exists due to improper access control in the Sync Service ConfigMap-backed provider in server/sync/sync_cm.go when handling create, read, update, and delete sync limit requests. A remote user can send crafted API requests to read and modify synchronization limits and related ConfigMaps.
Exploitation requires Argo Server to be running with --auth-mode=server.
3) Improper Validation of Array Index (CVE-ID: CVE-2026-40886)
CWE-ID: CWE-129 - Improper Validation of Array Index
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper validation of array index in the pod informer's podGCFromPod() function when processing a workflow pod with a malformed workflows.argoproj.io/pod-gc-strategy annotation. A remote user can submit a workflow containing a crafted annotation to cause a denial of service.
The panic occurs in an informer goroutine outside the controller's recover scope, and the poisoned pod persists across restarts, causing a crash loop that halts workflow processing until the offending workflow is removed.
4) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to bypass workflow template restrictions and modify pod security-sensitive settings.
The vulnerability exists due to incorrect authorization in WorkflowSpec merging and enforcement logic when submitting a workflow that references a hardened template under templateReferencing Strict or Secure mode. A remote user can submit a crafted workflow with overridden fields such as hostNetwork, serviceAccountName, or securityContext to bypass workflow template restrictions and modify pod security-sensitive settings.
The bypass applies when user-supplied WorkflowSpec fields survive JoinWorkflowSpec and are applied during pod creation, including in Secure mode where the merged spec is stored on first submission.
5) Insufficiently protected credentials (CVE-ID: N/A)
CWE-ID: CWE-522 - Insufficiently Protected Credentials
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive credentials.
The vulnerability exists due to insufficiently protected credentials in the workflow executor logging driver when logging artifact operations. A remote privileged user can read workflow pod logs to disclose sensitive credentials.
Any user with Kubernetes RBAC permissions to read pod logs in the workflow namespace can extract artifact repository credentials, including S3, OSS, and GCS credential fields.
6) Resource exhaustion (CVE-ID: N/A)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled memory consumption in the webhook interceptor when handling requests to the /api/v1/events/ endpoint with an extremely large body before authentication or signature verification. A remote attacker can send a specially crafted request with an extremely large body to cause a denial of service.
The issue can cause the Argo Server to allocate excessive memory and potentially crash with an out-of-memory condition.
Remediation
Install update from vendor's website.
References
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p4gq-3vxj-f4jq
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q
- https://github.com/advisories/GHSA-xchc-cqwg-g76q
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3775-99mw-8rp4
- https://github.com/advisories/GHSA-3775-99mw-8rp4
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-7vf8-2cr6-54mf
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq