Back to overview

CVE-2026-54526

HIGH
8.9
CVSS 4.0
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 3.7.15 and 4.0.6, the allow-list fix for CVE-2026-31892 is incomplete because workflow/util/merge.go ValidateUserOverrides and SanitizeUserWorkflowSpec walk only the top-level fields of WorkflowSpec via reflection, and WorkflowSpec.ArtifactGC is allow-listed wholesale; the struct behind that field, WorkflowLevelArtifactGC, has a PodSpecPatch sub-field whose contents flow unmodified into util.ApplyPodSpecPatch on the artifact-GC pod, the same sink the original fix closed for WorkflowSpec.PodSpecPatch, so a user submitting a Workflow under templateReferencing: Strict or Secure (against a referenced WorkflowTemplate that declares an output artifact and setting spec.artifactGC.strategy: OnWorkflowCompletion) can still inject an arbitrary strategic merge patch into the artifact-GC pod, including hostPath volumes, privileged: true, arbitrary image and command, and hostNetwork: true, defeating the stated purpose of Strict/Secure reference mode. This issue is fixed in versions 3.7.15 and 4.0.6.

Metadata

CVE ID
CVE-2026-54526
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 18:40 UTC
Published
2026-07-16 19:07 UTC
Last updated
2026-07-16 19:07 UTC
Primary CWE
CWE-284
CWE-284: Improper Access Control
Vendor / Product
argoproj / argo-workflows
Sources
cve.org  ·  NVD

Severity & Metrics

8.9 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H
Affected products (1)
VendorProductPlatformVersions
argoproj argo-workflows < 3.7.15, >= 4.0.0, < 4.0.6
Weakness (CWE)
CWESourceDescription
CWE-284 cna CWE-284: Improper Access Control
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.9 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H
References (5)
Back to overview