Main Vulnerability Database Vulnerabilities #VU126905

Incorrect authorization in Argo Workflows - CVE-2026-31892

Published: April 23, 2026

Vulnerability identifier: #VU126905

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-31892

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Argo

Affected software:
Argo Workflows

Detailed vulnerability description

The vulnerability allows a remote user to bypass security restrictions and gain root access to the underlying Kubernetes node.

The vulnerability exists due to incorrect authorization in the WorkflowTemplate reference handling and podSpecPatch processing when submitting a Workflow that references an approved WorkflowTemplate with a crafted podSpecPatch. A remote user can submit a Workflow containing a crafted podSpecPatch to bypass security restrictions and gain root access to the underlying Kubernetes node.

The issue occurs even when the controller is configured with templateReferencing set to Strict or Secure, because podSpecPatch takes precedence during spec merging and is applied without security validation.

How to mitigate CVE-2026-31892

Install security update from vendor's website.

Sources

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3wf5-g532-rcrr

Incorrect authorization in Argo Workflows - CVE-2026-31892

Detailed vulnerability description

How to mitigate CVE-2026-31892

Sources

Please verify you're human