Main Vulnerability Database Vulnerabilities #VU126909

Incorrect authorization in Argo Workflows - #VU126909

Published: April 23, 2026

Vulnerability identifier: #VU126909

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Argo

Affected software:
Argo Workflows

Detailed vulnerability description

The vulnerability allows a remote user to bypass workflow template restrictions and modify pod security-sensitive settings.

The vulnerability exists due to incorrect authorization in WorkflowSpec merging and enforcement logic when submitting a workflow that references a hardened template under templateReferencing Strict or Secure mode. A remote user can submit a crafted workflow with overridden fields such as hostNetwork, serviceAccountName, or securityContext to bypass workflow template restrictions and modify pod security-sensitive settings.

The bypass applies when user-supplied WorkflowSpec fields survive JoinWorkflowSpec and are applied during pod creation, including in Secure mode where the merged spec is stored on first submission.

Remediation

Install security update from vendor's website.

Incorrect authorization in Argo Workflows - #VU126909

Detailed vulnerability description

Remediation

Sources

Please verify you're human