CVE-2026-40886
HIGH7.7EPSS 0.05%Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows controller
發布日:2026/4/23修改日:2026/4/25
描述
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.
受影響套件(3)
- Bitnami/argo-workflows>= 3.6.5, < 3.7.14, >= 4.0.0, < 4.0.5
- Go/github.com/argoproj/argo-workflows/v3>= 3.7.0, < 3.7.14
- Go/github.com/argoproj/argo-workflows/v4>= 4.0.0, < 4.0.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H |