CVE-2026-40886 in argo-workflowsinfo

Zusammenfassung

von MITRE • 23.04.2026

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

15.04.2026

Veröffentlichung

23.04.2026

Moderieren

akzeptiert

Eintrag

VDB-359186

CPE

bereit

CWE

CWE-129 (bestätigt)

CVSS

7.7 (CNA)

EPSS

0.00054

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-40886
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-40886
CVE Details	https://www.cvedetails.com/cve/CVE-2026-40886/

◂ Zurück Übersicht Weiter ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!