CVE-2026-40886

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p	Exploit Vendor Advisory
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:argoproj:argo_workflows::::::go::*
	cpe:2.3:a:argoproj:argo_workflows::::::go::*
	cpe:2.3:a:argoproj:argo_workflows::::::go::*

History

28 Apr 2026, 14:09

Type	Values Removed	Values Added
First Time		Argoproj argo Workflows Argoproj
References	~~() https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p -~~	() https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p - Exploit, Vendor Advisory
CPE		cpe:2.3:a:argoproj:argo_workflows::::::go::*

25 Apr 2026, 02:16

Type	Values Removed	Values Added
References	~~() https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p -~~	() https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p -

23 Apr 2026, 19:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-23 19:17

Updated : 2026-06-17 10:45

NVD link : CVE-2026-40886

Mitre link : CVE-2026-40886

CVE.ORG link : CVE-2026-40886

JSON object : View

Products Affected

argoproj

argo_workflows

CWE

CWE-129

Improper Validation of Array Index

{"id": "CVE-2026-40886", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-40886", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-25T01:22:21.094335Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "argoproj", "product": "argo-workflows", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.0.5"}, {"status": "affected", "version": ">= 3.7.0, < 3.7.14"}, {"status": "affected", "version": ">= 3.6.5, <= 3.6.19"}]}]}], "published": "2026-04-23T19:17:28.617", "references": [{"url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-129"}]}], "descriptions": [{"lang": "en", "value": "Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14."}], "lastModified": "2026-06-17T10:45:49.537", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D1CB14B6-225D-422A-9FB0-509288D899F0", "versionEndIncluding": "3.6.19", "versionStartIncluding": "3.6.5"}, {"criteria": "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "9DAB70D2-949B-48BA-8624-F01907A85D86", "versionEndExcluding": "3.7.14", "versionStartIncluding": "3.7.0"}, {"criteria": "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "675D5F2B-A490-42EB-B1A1-0CE05D2BB4CF", "versionEndExcluding": "4.0.5", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}