DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40886: CVE-2026-40886: Denial of Service via Unchecked Annotation Parsing in Argo Workflows

#security #cve #cybersecurity

CVE-2026-40886: Denial of Service via Unchecked Annotation Parsing in Argo Workflows

Vulnerability ID: CVE-2026-40886
CVSS Score: 7.7
Published: 2026-04-23

CVE-2026-40886 is a high-severity denial-of-service vulnerability in Argo Workflows caused by an unhandled Go runtime panic. A malformed Kubernetes annotation triggers an out-of-bounds array access in the controller's pod informer, leading to a permanent crash loop that halts all workflow orchestration operations.

TL;DR

Argo Workflows fails to properly validate the array index when parsing the pod garbage collection annotation. Submitting a workflow with a malformed annotation causes a persistent Go runtime panic in the controller process, resulting in a denial of service.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-40886
  • CVSS v3.1 Score: 7.7
  • Attack Vector: Network
  • CWE: CWE-129
  • Impact: Denial of Service (Availability: High)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Argo Workflows Controller
  • Kubernetes Clusters running Argo Workflows v3.6.x
  • Kubernetes Clusters running Argo Workflows v3.7.x
  • Kubernetes Clusters running Argo Workflows v4.0.x
  • Argo Workflows: >= 3.6.5, <= 3.6.19 (Fixed in: v3.7.14)
  • Argo Workflows: >= 3.7.0, <= 3.7.13 (Fixed in: v3.7.14)
  • Argo Workflows: >= 4.0.0, <= 4.0.4 (Fixed in: v4.0.5)

Code Analysis

Commit: 4fe54e5

fix: Do not panic on invalid pod gc strategy annotation

func podGCFromPod(pod *apiv1.Pod) wfv1.PodGC {
    if val, ok := pod.Annotations[common.AnnotationKeyPodGCStrategy]; ok {
-       parts := strings.Split(val, "/")
-       return wfv1.PodGC{Strategy: wfv1.PodGCStrategy(parts[0]), DeleteDelayDuration: parts[1]}
+       strategy, delay, _ := strings.Cut(val, "/")
+       return wfv1.PodGC{Strategy: wfv1.PodGCStrategy(strategy), DeleteDelayDuration: delay}
    }
    return wfv1.PodGC{Strategy: wfv1.PodGCOnPodNone}
}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Proof-of-Concept: Minimal Workflow manifest demonstrating the injection of the malformed 'workflows.argoproj.io/pod-gc-strategy' annotation

Mitigation Strategies

  • Upgrade Argo Workflows controller to fully patched releases (v3.7.14 or v4.0.5).
  • Implement Validating Admission Webhooks (using OPA Gatekeeper or Kyverno) to enforce formatting constraints on the workflows.argoproj.io/pod-gc-strategy annotation.

Remediation Steps:

  1. Identify the deployed version of Argo Workflows across all managed Kubernetes clusters.
  2. If the version falls within an affected range, update the Argo Workflows manifest or Helm chart to deploy version v3.7.14 or v4.0.5.
  3. If the controller is actively in a CrashLoopBackOff state, locate the offending workflow using kubectl.
  4. Execute 'kubectl delete workflow -n ' to purge the malformed resource.
  5. Verify that the controller pod stabilizes in a Running state and resumes processing standard events.

References

Read the full report for CVE-2026-40886 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)