CVE-2026-31892

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpecPatch field in their Workflow submission. This works even when the controller is configured with templateReferencing: Strict, which is specifically documented as a mechanism to restrict users to admin-approved templates. The podSpecPatch field on a submitted Workflow takes precedence over the referenced WorkflowTemplate during spec merging and is applied directly to the pod spec at creation time with no security validation. This vulnerability is fixed in 4.0.2 and 3.7.11.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3wf5-g532-rcrr	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:argoproj:argo_workflows::::::go::*
	cpe:2.3:a:argoproj:argo_workflows::::::go::*

History

No history.

Information

Published : 2026-03-11 16:16

Updated : 2026-03-17 19:17

NVD link : CVE-2026-31892

Mitre link : CVE-2026-31892

CVE.ORG link : CVE-2026-31892

JSON object : View

Products Affected

argoproj

argo_workflows

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-31892", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-11T16:16:44.033", "references": [{"url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3wf5-g532-rcrr", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpecPatch field in their Workflow submission. This works even when the controller is configured with templateReferencing: Strict, which is specifically documented as a mechanism to restrict users to admin-approved templates. The podSpecPatch field on a submitted Workflow takes precedence over the referenced WorkflowTemplate during spec merging and is applied directly to the pod spec at creation time with no security validation. This vulnerability is fixed in 4.0.2 and 3.7.11."}, {"lang": "es", "value": "Argo Workflows es un motor de flujo de trabajo de c\u00f3digo abierto nativo de contenedores para orquestar trabajos paralelos en Kubernetes. Desde la versi\u00f3n 2.9.0 hasta antes de la 4.0.2 y la 3.7.11, un usuario que puede enviar Workflows puede eludir completamente todas las configuraciones de seguridad definidas en un WorkflowTemplate al incluir un campo podSpecPatch en su env\u00edo de Workflow. Esto funciona incluso cuando el controlador est\u00e1 configurado con templateReferencing: Strict, que est\u00e1 espec\u00edficamente documentado como un mecanismo para restringir a los usuarios a plantillas aprobadas por el administrador. El campo podSpecPatch en un Workflow enviado tiene precedencia sobre el WorkflowTemplate referenciado durante la fusi\u00f3n de especificaciones y se aplica directamente a la especificaci\u00f3n del pod en el momento de la creaci\u00f3n sin validaci\u00f3n de seguridad. Esta vulnerabilidad est\u00e1 corregida en las versiones 4.0.2 y 3.7.11."}], "lastModified": "2026-03-17T19:17:55.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "2C394DD0-E356-4F05-8EE1-D161E9D8E9DF", "versionEndExcluding": "3.7.11", "versionStartIncluding": "2.9.0"}, {"criteria": "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "5C8325AD-83B2-4ABD-A991-6DFFA5DD07C2", "versionEndExcluding": "4.0.2", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}