Argo Workflows Vulnerability in Kubernetes Orchestration
CVE-2026-42296

8.1HIGH

Key Information:

Vendor

Argoproj

Status
Argo-workflows
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42296?

A vulnerability in Argo Workflows allows users with create Workflow permissions to bypass the Strict mode for template referencing. This enables unauthorized access to the host network, switching of service accounts, overriding pod security contexts, and scheduling on control-plane nodes. Such actions compromise the feature's intended security measures, with the impact being contingent on the existing Kubernetes-level security controls. Clusters utilizing PodSecurity admission or OPA/Gatekeeper would mitigate some consequences, but those relying solely on Argo's Strict mode are entirely exposed. Versions 3.7.14 and 4.0.5 have addressed this issue, ensuring better security for users.

Affected Version(s)

argo-workflows < 3.7.14 < 3.7.14

argo-workflows >= 4.0.0, < 4.0.5 < 4.0.0, 4.0.5

References

https://github.com/argoproj/argo-workflows/security/advis...
x_refsource_CONFIRM
https://github.com/argoproj/argo-workflows/commit/534f4ff...
x_refsource_MISC
https://github.com/argoproj/argo-workflows/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.