CVE-2026-40886: CWE-129: Improper Validation of Array Index in argoproj argo-workflows
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.
AI Analysis
Technical Summary
Argo Workflows versions 3.6.5 through 4.0.4 and 3.7.0 through 3.7.13 contain an unchecked array index vulnerability (CWE-129) in the podGCFromPod() function of the pod informer. A malformed pod annotation triggers a panic outside the controller's recover scope, crashing the controller process. Because the poisoned pod remains after restart, the controller repeatedly crashes, causing a denial of service for workflow orchestration. The vulnerability is resolved in versions 4.0.5 and 3.7.14.
Potential Impact
This vulnerability causes a denial of service by crashing the argo-workflows controller process when it encounters a malformed pod annotation. The crash loop persists until the problematic pod is manually deleted, halting all workflow processing. There is no impact on confidentiality or integrity reported. The CVSS 3.1 score is 7.7 (high), reflecting network attack vector, low complexity, low privileges required, no user interaction, and complete availability impact with scope change.
Mitigation Recommendations
A fix is available in argo-workflows versions 4.0.5 and 3.7.14. Users should upgrade to one of these versions or later to remediate the vulnerability. Until upgraded, manual deletion of any pods with malformed workflows.argoproj.io/pod-gc-strategy annotations can temporarily restore controller operation. Patch status is confirmed by the vendor advisory stating the issue is fixed in these versions.
CVE-2026-40886: CWE-129: Improper Validation of Array Index in argoproj argo-workflows
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Argo Workflows versions 3.6.5 through 4.0.4 and 3.7.0 through 3.7.13 contain an unchecked array index vulnerability (CWE-129) in the podGCFromPod() function of the pod informer. A malformed pod annotation triggers a panic outside the controller's recover scope, crashing the controller process. Because the poisoned pod remains after restart, the controller repeatedly crashes, causing a denial of service for workflow orchestration. The vulnerability is resolved in versions 4.0.5 and 3.7.14.
Potential Impact
This vulnerability causes a denial of service by crashing the argo-workflows controller process when it encounters a malformed pod annotation. The crash loop persists until the problematic pod is manually deleted, halting all workflow processing. There is no impact on confidentiality or integrity reported. The CVSS 3.1 score is 7.7 (high), reflecting network attack vector, low complexity, low privileges required, no user interaction, and complete availability impact with scope change.
Mitigation Recommendations
A fix is available in argo-workflows versions 4.0.5 and 3.7.14. Users should upgrade to one of these versions or later to remediate the vulnerability. Until upgraded, manual deletion of any pods with malformed workflows.argoproj.io/pod-gc-strategy annotations can temporarily restore controller operation. Patch status is confirmed by the vendor advisory stating the issue is fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T15:57:41.719Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ea6a1a87115cfb68455b90
Added to database: 4/23/2026, 6:51:06 PM
Last enriched: 4/23/2026, 7:06:16 PM
Last updated: 4/24/2026, 6:06:35 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.