EXECUTIVE SUMMARY:
CVE-2026-40886 with a CVSS score of 7.7 is a denial-of-service vulnerability affecting versions v3.6.5 through v3.6.19 of the Argo Workflows controller. The vulnerability arises from unchecked annotation parsing in the pod informer's podGCFromPod() function, which causes a controller-wide panic when a workflow pod carries a malformed workflows annotation, specifically when the annotation value contains no "/" and the parts array has a length of 1, resulting in an index out of range error. An attacker with create permission on Workflow resources, which is the baseline permission for any Argo Workflows user, can exploit this vulnerability by submitting a workflow with an annotation that triggers the crash, achieving a denial-of-service against all workflows in the cluster, and requiring manual deletion of the poisoned workflow to recover. The attacker gains the capability to halt all workflow processing indefinitely, resulting in significant business impact and consequences, as no workflows can make progress while the controller is crash-looping.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40886 with a CVSS score of 7.7 is a denial-of-service vulnerability affecting versions v3.6.5 through v3.6.19 of the Argo Workflows controller. The vulnerability arises from unchecked annotation parsing in the pod informer's podGCFromPod() function, which causes a controller-wide panic when a workflow pod carries a malformed workflows annotation, specifically when the annotation value contains no "/" and the parts array has a length of 1, resulting in an index out of range error. An attacker with create permission on Workflow resources, which is the baseline permission for any Argo Workflows user, can exploit this vulnerability by submitting a workflow with an annotation that triggers the crash, achieving a denial-of-service against all workflows in the cluster, and requiring manual deletion of the poisoned workflow to recover. The attacker gains the capability to halt all workflow processing indefinitely, resulting in significant business impact and consequences, as no workflows can make progress while the controller is crash-looping.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-5jv8-h7qh-rf5p