7.7
CVE-2026-40886
- EPSS 0.38%
- Veröffentlicht 23.04.2026 18:12:05
- Zuletzt bearbeitet 30.06.2026 03:19:20
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows controller
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Argoproj ≫ Argo Workflows SwPlatformgo Version >= 3.6.5 <= 3.6.19
Argoproj ≫ Argo Workflows SwPlatformgo Version >= 3.7.0 < 3.7.14
Argoproj ≫ Argo Workflows SwPlatformgo Version >= 4.0.0 < 4.0.5
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.38% | 0.296 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.7 | 3.1 | 4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.7 | 3.1 | 4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
|
CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input
The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.
CWE-129 Improper Validation of Array Index
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-5jv8-h7qh-rf5p
https://access.redhat.com/security/cve/CVE-2026-40886
https://bugzilla.redhat.com/show_bug.cgi?id=2461236
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40886.json