DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-31892: CVE-2026-31892: Argo Workflows WorkflowTemplate Security Bypass via podSpecPatch

#security #cve #cybersecurity

CVE-2026-31892: Argo Workflows WorkflowTemplate Security Bypass via podSpecPatch

Vulnerability ID: CVE-2026-31892
CVSS Score: 8.9
Published: 2026-03-11

CVE-2026-31892 is a high-severity security bypass vulnerability in Argo Workflows that permits authenticated users to override administrative security constraints. By injecting a malicious podSpecPatch payload during workflow submission, attackers can achieve container escape and node-level privilege escalation, defeating the Strict template referencing protections.

TL;DR

Authenticated users can bypass Argo Workflows template restrictions using the podSpecPatch field, leading to privileged container execution and Kubernetes node compromise.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863
  • CVSS v4.0: 8.9
  • Attack Vector: Network (Authenticated)
  • Impact: Privilege Escalation / Node Compromise
  • Exploit Status: Proof of Concept
  • KEV Listed: No

Affected Systems

  • Argo Workflows Controller
  • Kubernetes Nodes running Argo Workflows
  • Argo Workflows: 2.9.0 to < 3.7.11 (Fixed in: 3.7.11)
  • Argo Workflows: 4.0.0 to < 4.0.2 (Fixed in: 4.0.2)

Code Analysis

Commit: 4cac12c

Fix for CVE-2026-31892 in the 4.0.x branch. Rejects workflow submissions containing podSpecPatch when template referencing is Strict.

Commit: 9064c7f

Fix for CVE-2026-31892 in the 3.7.x branch. Rejects workflow submissions containing podSpecPatch when template referencing is Strict.

Mitigation Strategies

  • Implement Kubernetes Admission Controllers (OPA Gatekeeper or Kyverno) to block privileged pods at the cluster level.
  • Verify and enforce Strict mode in the Argo Workflows controller configurations.
  • Audit existing Role-Based Access Control (RBAC) permissions to restrict 'create workflow' access.

Remediation Steps:

  1. Upgrade Argo Workflows to version 3.7.11 or 4.0.2.
  2. Verify the workflow-controller deployment is successfully running the updated image.
  3. Review historical workflow executions for anomalous usage of the podSpecPatch field.

References

Read the full report for CVE-2026-31892 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)