CVE-2026-40886

EUVD-2026-25267

23.04.2026, 19:17

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.7 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Affected Products (NVD)

Vendor	Product	Version
argoproj	argo_workflows	3.6.5 ≤ 𝑥 ≤ 3.6.19
argoproj	argo_workflows	3.7.0 ≤ 𝑥 < 3.7.14
argoproj	argo_workflows	4.0.0 ≤ 𝑥 < 4.0.5

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-129 - Improper Validation of Array Index
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p