PatchSiren cyber security CVE debrief
CVE-2026-40886 Argoproj CVE debrief
CVE-2026-40886 is a high-severity vulnerability in Argo Workflows, an open-source container-native workflow engine. The vulnerability causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. This panic occurs inside an informer goroutine, outside the controller's recover() scope, crashing the entire controller process. The affected pod persists across restarts, causing a crash loop that halts all workflow processing until manually deleted. Argo Workflows versions from 3.6.5 to 4.0.4 are affected. The vulnerability is fixed in versions 4.0.5 and 3.7.14.
- Vendor
- Argoproj
- Product
- Argo Workflows
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-23
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-23
- Advisory updated
- 2026-06-30
Who should care
Users of Argo Workflows, especially those managing Kubernetes environments, should be aware of this vulnerability. If your workflows depend on Argo Workflows, assess your exposure and take steps to mitigate the risk. This vulnerability could lead to denial-of-service (DoS) attacks on your workflow processing.
Technical summary
The vulnerability is caused by an unchecked array index in the pod informer's podGCFromPod() function. When a workflow pod contains a malformed workflows.argoproj.io/pod-gc-strategy annotation, it triggers a panic in the informer goroutine. This panic is not caught by the controller's recover() mechanism, leading to a crash of the entire controller process. The affected versions of Argo Workflows are from 3.6.5 to 4.0.4. The fixes are available in versions 4.0.5 and 3.7.14.
Defensive priority
Given the high severity and potential for DoS attacks, defenders should prioritize patching or mitigating this vulnerability. Ensure that Argo Workflows is updated to version 4.0.5 or 3.7.14, depending on your current version.
Recommended defensive actions
- Update Argo Workflows to version 4.0.5 or 3.7.14.
- Review and validate annotations on workflow pods to prevent exploitation.
- Monitor for unusual workflow processing halts or controller crashes.
- Implement compensating controls to detect and respond to potential DoS attacks.
- Review and update incident response plans to include steps for addressing this vulnerability.
Evidence notes
The CVE-2026-40886 vulnerability is documented in the official CVE record and NVD detail pages. Additional information is available from Argo Workflows' security advisories and Red Hat's security bulletins. The vulnerability has a CVSS score of 7.7 and is classified as CWE-129 (Unchecked Array Index).
Official resources
-
CVE-2026-40886 CVE record
CVE.org
-
CVE-2026-40886 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.