Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
Argo Workflows bypasses security settings with certain configuration
CVE-2026-31892
GHSA-3wf5-g532-rcrr
BIT-argo-workflows-2026-31892
Summary
A security setting in Argo Workflows can be bypassed by users who can submit workflows, allowing them to create unauthorized changes to workflow execution. This affects versions 2.9.0 to 4.0.2 and 3.7.11. To fix, update to version 4.0.2 or 3.7.11 or later.
What to do
- Update github.com argoproj to version 4.0.2.
- Update github.com argoproj to version 3.7.11.
- Update argo-workflows to version 4.0.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | argoproj | <= 4.0.2 | 4.0.2 |
| github.com | argoproj | <= 3.7.11 | 3.7.11 |
| github.com | argoproj | > 2.9.0 , <= 3.0.0 | – |
| – | argo-workflows | > 4.0.0 , <= 4.0.2 | 4.0.2 |
Original title
WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode
Original description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpecPatch field in their Workflow submission. This works even when the controller is configured with templateReferencing: Strict, which is specifically documented as a mechanism to restrict users to admin-approved templates. The podSpecPatch field on a submitted Workflow takes precedence over the referenced WorkflowTemplate during spec merging and is applied directly to the pod spec at creation time with no security validation. This vulnerability is fixed in 4.0.2 and 3.7.11.
nvd CVSS4.0
8.9
Vulnerability type
CWE-863
Incorrect Authorization
Published: 13 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026