PatchSiren cyber security CVE debrief
CVE-2026-42296 Unknown Vendor CVE debrief
CVE-2026-42296 is an authorization/control bypass in Argo Workflows. According to the advisory, a user who only has create Workflow permission could bypass templateReferencing: Strict and submit workflows that change security-relevant pod settings, including host network access, service account selection, pod security context, tolerations, and service account token mounting. The issue was fixed in Argo Workflows 3.7.14 and 4.0.5.
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-09
- Original CVE updated
- 2026-05-09
- Advisory published
- 2026-05-09
- Advisory updated
- 2026-05-09
Who should care
Operators of Argo Workflows clusters, especially environments that use templateReferencing: Strict as a primary enforcement control. Kubernetes platform teams should also care because the practical impact depends on other cluster controls such as PodSecurity admission, OPA/Gatekeeper, and node scheduling restrictions.
Technical summary
The vulnerability is classified as CWE-863 (Incorrect Authorization). In affected versions, the intended restrictions of templateReferencing: Strict could be bypassed by a workflow creator, allowing modification of workflow pod settings that are normally expected to be constrained by the template. The impact depends on surrounding Kubernetes policy: independent admission controls may block some settings, but clusters relying on Argo's Strict mode alone are exposed to privilege and scheduling boundary weakening.
Defensive priority
High. Treat as a high-priority upgrade for any Argo Workflows deployment that depends on Strict mode to constrain workflow authors. The CVSS score provided is 8.1 (HIGH), and the impact can include node placement changes, host networking, and service account/token handling changes.
Recommended defensive actions
- Upgrade Argo Workflows to 3.7.14 or later, or 4.0.5 or later, depending on your release line.
- Audit clusters that use templateReferencing: Strict to confirm whether other controls already block hostNetwork, service account changes, tolerations, and related pod spec fields.
- Review workflow author permissions and reduce create Workflow access where it is broader than necessary.
- Validate Kubernetes admission and policy controls such as PodSecurity admission or OPA/Gatekeeper for defense in depth.
- Check whether workflows can mount service account tokens or target control-plane nodes through tolerations in your current policy baseline.
- Use the upstream GitHub advisory and release notes to confirm the patched version path for your deployment.
Evidence notes
The NVD record for CVE-2026-42296 cites GitHub security advisory references and reports CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N with CWE-863. The supplied description states the affected range is prior to Argo Workflows 3.7.14 and 4.0.5, and that the issue is patched in those releases. Official references include the upstream commit, the release tags for v3.7.14 and v4.0.5, and the GitHub advisory GHSA-3775-99mw-8rp4.
Official resources
Published in the supplied source set on 2026-05-09 04:16:25.563Z. The official references point to the upstream GitHub advisory, a fix-related commit, and fixed release tags for Argo Workflows 3.7.14 and 4.0.5.