Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.
Published: 2026-04-23
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Argo Workflows 3.6.5 through 4.0.4 contain an unchecked array index in the pod informer's podGCFromPod() function, which can be triggered by a malformed workflows.argoproj.io/pod-gc-strategy annotation on a workflow pod. When this occurs, the controller goroutine panics outside its recover scope, causing the entire Argo Workflows controller process to crash. The poisoned pod remains across restarts, leading to a crash loop that stops all workflow processing and effectively denies service to users of the workflow engine. The weakness is reflected in CWE‑129 and CWE‑1285, unchecked indexing and array bounds errors.

Affected Systems

The affected product is Argo Workflows from the argoproj organization. Versions from 3.6.5 up to and including 4.0.4 are impacted. The vulnerability is fixed in releases 4.0.5 and 3.7.14, which should be applied by users on the affected versions.

Risk and Exploitability

The CVSS score of 7.7 indicates a fairly high severity, while the EPSS score of under 1% shows a low probability of exploitation under current conditions. The vulnerability is not catalogued by CISA in KEV. Based on the description, the likely attack vector requires an adversary who can submit or modify workflow pods within the Kubernetes cluster, inserting a malformed workflows.argoproj.io/pod-gc-strategy annotation. This suggests a local or privileged cluster attacker would need sufficient permissions to create or alter workflow pods to exploit the flaw.

Generated by OpenCVE AI on May 1, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Argo Workflows to version 4.0.5 or 3.7.14 (or later) which contains the fix for the unchecked array index bug.
  • If an upgrade cannot be performed immediately, delete any pod that contains a malformed workflows.argoproj.io/pod-gc-strategy annotation to stop the crash loop and restore controller operation.
  • Implement validation of the workflows.argoproj.io/pod-gc-strategy annotation to ensure only valid values are accepted, reducing the risk of future crashes.

Generated by OpenCVE AI on May 1, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5jv8-h7qh-rf5p Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows Controller
History

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 28 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj argo Workflows
CPEs cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*
Vendors & Products Argoproj argo Workflows

Mon, 27 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo-workflows
Vendors & Products Argoproj
Argoproj argo-workflows

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.
Title Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows controller
Weaknesses CWE-129
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Argoproj Argo-workflows Argo Workflows
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:22:45.497Z

Reserved: 2026-04-15T15:57:41.719Z

Link: CVE-2026-40886

cve-icon Vulnrichment

Updated: 2026-04-25T01:22:37.215Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T19:17:28.617

Modified: 2026-04-28T14:09:25.893

Link: CVE-2026-40886

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-23T18:12:05Z

Links: CVE-2026-40886 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:45:10Z

Weaknesses