Unchecked Array Index in Argo Workflows Causes Controller Crash
CVE-2026-40886

7.7HIGH

Key Information:

Vendor: Argoproj
Status: Argo-workflows
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-40886?

In Argo Workflows versions 3.6.5 to 4.0.4, a vulnerability exists due to an unchecked array index in the pod informer's podGCFromPod() function. This flaw can trigger a controller-wide panic when a workflow pod has a malformed workflows.argoproj.io/pod-gc-strategy annotation. The panic occurs within an informer goroutine, causing the entire controller process to crash and prevent workflow processing. Affected users must manually delete the malformed pod, which can disrupt operations by creating a crash loop that persists across restarts. The issue has been addressed in versions 3.7.14 and 4.0.5.

Affected Version(s)

argo-workflows >= 4.0.0, < 4.0.5 < 4.0.0, 4.0.5

argo-workflows >= 3.7.0, < 3.7.14 < 3.7.0, 3.7.14

argo-workflows >= 3.6.5, <= 3.6.19 <= 3.6.5, 3.6.19

References

https://github.com/argoproj/argo-workflows/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40886 Data

JSON

Argoproj

What is CVE-2026-40886?

Affected Version(s)

References

CVSS V3.1

Timeline