PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40886 Argoproj CVE debrief

CVE-2026-40886 is a high-severity vulnerability in Argo Workflows, an open-source container-native workflow engine. The vulnerability causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. This panic occurs inside an informer goroutine, outside the controller's recover() scope, crashing the entire controller process. The affected pod persists across restarts, causing a crash loop that halts all workflow processing until manually deleted. Argo Workflows versions from 3.6.5 to 4.0.4 are affected. The vulnerability is fixed in versions 4.0.5 and 3.7.14.

Vendor
Argoproj
Product
Argo Workflows
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-06-30
Advisory published
2026-04-23
Advisory updated
2026-06-30

Who should care

Users of Argo Workflows, especially those managing Kubernetes environments, should be aware of this vulnerability. If your workflows depend on Argo Workflows, assess your exposure and take steps to mitigate the risk. This vulnerability could lead to denial-of-service (DoS) attacks on your workflow processing.

Technical summary

The vulnerability is caused by an unchecked array index in the pod informer's podGCFromPod() function. When a workflow pod contains a malformed workflows.argoproj.io/pod-gc-strategy annotation, it triggers a panic in the informer goroutine. This panic is not caught by the controller's recover() mechanism, leading to a crash of the entire controller process. The affected versions of Argo Workflows are from 3.6.5 to 4.0.4. The fixes are available in versions 4.0.5 and 3.7.14.

Defensive priority

Given the high severity and potential for DoS attacks, defenders should prioritize patching or mitigating this vulnerability. Ensure that Argo Workflows is updated to version 4.0.5 or 3.7.14, depending on your current version.

Recommended defensive actions

  • Update Argo Workflows to version 4.0.5 or 3.7.14.
  • Review and validate annotations on workflow pods to prevent exploitation.
  • Monitor for unusual workflow processing halts or controller crashes.
  • Implement compensating controls to detect and respond to potential DoS attacks.
  • Review and update incident response plans to include steps for addressing this vulnerability.

Evidence notes

The CVE-2026-40886 vulnerability is documented in the official CVE record and NVD detail pages. Additional information is available from Argo Workflows' security advisories and Red Hat's security bulletins. The vulnerability has a CVSS score of 7.7 and is classified as CWE-129 (Unchecked Array Index).

Official resources

This article is AI-assisted and based on the supplied source corpus.