PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31892 Argoproj CVE debrief

CVE-2026-31892 is a high-severity vulnerability in Argo Workflows, an open-source container-native workflow engine for Kubernetes. The vulnerability allows a user who can submit Workflows to completely bypass all security settings defined in a WorkflowTemplate by including a podSpecPatch field in their Workflow submission. This bypass occurs even when the controller is configured with templateReferencing: Strict, which is intended to restrict users to admin-approved templates. The podSpecPatch field takes precedence over the referenced WorkflowTemplate during spec merging and is applied directly to the pod spec at creation time without security validation. The vulnerability is fixed in versions 4.0.2 and 3.7.11.

Vendor
Argoproj
Product
Argo Workflows
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-11
Original CVE updated
2026-06-30
Advisory published
2026-03-11
Advisory updated
2026-06-30

Who should care

Users of Argo Workflows, especially those who allow untrusted users to submit Workflows, should be aware of this vulnerability. Security teams and administrators responsible for Kubernetes environments where Argo Workflows is deployed should prioritize patching to prevent potential security breaches.

Technical summary

The vulnerability in Argo Workflows arises from the podSpecPatch field in Workflow submissions, which can override security settings in WorkflowTemplates. Even with strict template referencing enabled, users can bypass security by including this field. The issue is addressed in Argo Workflows versions 4.0.2 and 3.7.11. Affected versions include 2.9.0 to before 4.0.2 and 3.7.11. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.9, indicating a high severity.

Defensive priority

Given the high CVSS score of 8.9, defenders should prioritize patching Argo Workflows instances to versions 4.0.2 or 3.7.11. Immediate action is recommended for environments where untrusted users can submit Workflows.

Recommended defensive actions

  • Patch Argo Workflows to version 4.0.2 or 3.7.11.
  • Restrict Workflow submissions to trusted users.
  • Monitor for suspicious Workflow submissions.
  • Review and update WorkflowTemplates to ensure security settings are properly enforced.
  • Consider implementing additional security controls, such as network policies or pod security policies, to mitigate potential impacts.

Evidence notes

The CVE-2026-31892 vulnerability is documented in the official CVE record and the National Vulnerability Database (NVD). Multiple sources, including GitHub security advisories and Red Hat security bulletins, provide additional details and mitigation strategies.

Official resources

This article is AI-assisted and based on the supplied source corpus.