2446551 – (CVE-2026-31892) CVE-2026-31892 github.com/argoproj/argo-workflows: Argo Workflows: Security bypass allows privilege escalation via podSpecPatch field

Bug 2446551 (CVE-2026-31892) - CVE-2026-31892 github.com/argoproj/argo-workflows: Argo Workflows: Security bypass allows privilege escalation via podSpecPatch field

Summary: CVE-2026-31892 github.com/argoproj/argo-workflows: Argo Workflows: Security b...

Keywords:
Status:	NEW
Alias:	CVE-2026-31892
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-11 16:01 UTC by OSIDB Bzimport
Modified:	2026-03-11 20:01 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-11 16:01:33 UTC

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpecPatch field in their Workflow submission. This works even when the controller is configured with templateReferencing: Strict, which is specifically documented as a mechanism to restrict users to admin-approved templates. The podSpecPatch field on a submitted Workflow takes precedence over the referenced WorkflowTemplate during spec merging and is applied directly to the pod spec at creation time with no security validation. This vulnerability is fixed in 4.0.2 and 3.7.11.

Note You need to log in before you can comment on or make changes to this bug.