7.7
CVE-2026-40886
- EPSS 0.05%
- Veröffentlicht 23.04.2026 18:12:05
- Zuletzt bearbeitet 28.04.2026 14:09:25
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows controller
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Argoproj ≫ Argo Workflows SwPlatformgo Version >= 3.6.5 <= 3.6.19
Argoproj ≫ Argo Workflows SwPlatformgo Version >= 3.7.0 < 3.7.14
Argoproj ≫ Argo Workflows SwPlatformgo Version >= 4.0.0 < 4.0.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.142 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.7 | 3.1 | 4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
|
CWE-129 Improper Validation of Array Index
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.