CVE-2026-54526
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H
Summary
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 3.7.15 and 4.0.6, the allow-list fix for CVE-2026-31892 is incomplete because workflow/util/merge.go ValidateUserOverrides and SanitizeUserWorkflowSpec walk only the top-level fields of WorkflowSpec via reflection, and WorkflowSpec.ArtifactGC is allow-listed wholesale; the struct behind that field, WorkflowLevelArtifactGC, has a PodSpecPatch sub-field whose contents flow unmodified into util.ApplyPodSpecPatch on the artifact-GC pod, the same sink the original fix closed for WorkflowSpec.PodSpecPatch, so a user submitting a Workflow under templateReferencing: Strict or Secure (against a referenced WorkflowTemplate that declares an output artifact and setting spec.artifactGC.strategy: OnWorkflowCompletion) can still inject an arbitrary strategic merge patch into the artifact-GC pod, including hostPath volumes, privileged: true, arbitrary image and command, and hostNetwork: true, defeating the stated purpose of Strict/Secure reference mode. This issue is fixed in versions 3.7.15 and 4.0.6.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| argoproj | argo-workflows | < 3.7.15 | affected |
| argoproj | argo-workflows | >= 4.0.0, < 4.0.6 | affected |
Weaknesses
- CWE-284: CWE-284: Improper Access Control
References
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-48p8-g2fx-3wwm
- https://github.com/argoproj/argo-workflows/commit/277e9cef0ad16d7eaaab253573d0695951a65dbd
- https://github.com/argoproj/argo-workflows/commit/358cc3968c8f06f1be0967e41df191088db0b662
- https://github.com/argoproj/argo-workflows/releases/tag/v3.7.15
- https://github.com/argoproj/argo-workflows/releases/tag/v4.0.6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.