CVE-2026-42296: CWE-863: Incorrect Authorization in argoproj argo-workflows
CVE-2026-42296 is an authorization vulnerability in Argo Workflows prior to versions 3. 7. 14 and 4. 0. 5. It allows users with create Workflow permission to bypass the templateReferencing: Strict feature, enabling them to gain host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable service account token mounting. The impact depends on Kubernetes-level controls in place; clusters relying solely on Argo's Strict mode are fully exposed. This issue has been patched in versions 3. 7. 14 and 4.
AI Analysis
Technical Summary
Argo Workflows is a container-native workflow engine for Kubernetes. In versions before 3.7.14 and 4.0.5, a user with create Workflow permission can bypass the templateReferencing: Strict enforcement, which is intended to restrict certain pod specifications. This bypass allows the user to escalate privileges by gaining host network access, switching service accounts, overriding pod security contexts, adding tolerations to schedule on control-plane nodes, or enabling service account token mounting. The vulnerability is classified as CWE-863 (Incorrect Authorization). The practical impact depends on additional Kubernetes admission controls like PodSecurity admission or OPA/Gatekeeper, which may block some of these actions independently. Clusters that rely primarily on Argo's Strict mode for enforcement are vulnerable. The issue is patched in Argo Workflows versions 3.7.14 and 4.0.5.
Potential Impact
Successful exploitation allows a user with create Workflow permission to bypass security restrictions intended to limit pod capabilities, potentially leading to privilege escalation and unauthorized access to host network and service accounts. This can compromise cluster security depending on the presence or absence of Kubernetes-level admission controls. The vulnerability does not affect availability but has high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability is patched in Argo Workflows versions 3.7.14 and 4.0.5. Users should upgrade to these or later versions to remediate the issue. No vendor advisory indicates that no action is required or that the issue is otherwise mitigated. Clusters using Kubernetes admission controls such as PodSecurity admission or OPA/Gatekeeper may have partial mitigation but should still apply the patch for full protection.
CVE-2026-42296: CWE-863: Incorrect Authorization in argoproj argo-workflows
Description
CVE-2026-42296 is an authorization vulnerability in Argo Workflows prior to versions 3. 7. 14 and 4. 0. 5. It allows users with create Workflow permission to bypass the templateReferencing: Strict feature, enabling them to gain host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable service account token mounting. The impact depends on Kubernetes-level controls in place; clusters relying solely on Argo's Strict mode are fully exposed. This issue has been patched in versions 3. 7. 14 and 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Argo Workflows is a container-native workflow engine for Kubernetes. In versions before 3.7.14 and 4.0.5, a user with create Workflow permission can bypass the templateReferencing: Strict enforcement, which is intended to restrict certain pod specifications. This bypass allows the user to escalate privileges by gaining host network access, switching service accounts, overriding pod security contexts, adding tolerations to schedule on control-plane nodes, or enabling service account token mounting. The vulnerability is classified as CWE-863 (Incorrect Authorization). The practical impact depends on additional Kubernetes admission controls like PodSecurity admission or OPA/Gatekeeper, which may block some of these actions independently. Clusters that rely primarily on Argo's Strict mode for enforcement are vulnerable. The issue is patched in Argo Workflows versions 3.7.14 and 4.0.5.
Potential Impact
Successful exploitation allows a user with create Workflow permission to bypass security restrictions intended to limit pod capabilities, potentially leading to privilege escalation and unauthorized access to host network and service accounts. This can compromise cluster security depending on the presence or absence of Kubernetes-level admission controls. The vulnerability does not affect availability but has high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability is patched in Argo Workflows versions 3.7.14 and 4.0.5. Users should upgrade to these or later versions to remediate the issue. No vendor advisory indicates that no action is required or that the issue is otherwise mitigated. Clusters using Kubernetes admission controls such as PodSecurity admission or OPA/Gatekeeper may have partial mitigation but should still apply the patch for full protection.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T12:13:55.552Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ffe1b2cbff5d8610ead443
Added to database: 5/10/2026, 1:38:58 AM
Last enriched: 5/10/2026, 1:40:01 AM
Last updated: 5/10/2026, 8:06:59 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.