CVE-2026-40886

Name of the Vulnerable Software and Affected Versions Argo Workflows versions 3.6.5 through 3.6.19 Argo Workflows versions 3.7.0-rc1 through 3.7.12 Argo Workflows versions 4.0.0-rc1 through 4.0.4

Description An unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod contains a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine outside the controller's recover scope, it crashes the entire controller process. The poisoned pod persists across restarts, leading to a crash loop that halts all workflow processing until the pod is manually deleted. This allows any user with permission to submit workflows to cause a denial-of-service against all workflows in the cluster.

Recommendations Update Argo Workflows versions 3.6.5 through 3.6.19 to version 3.6.20 or newer. Update Argo Workflows versions 3.7.0-rc1 through 3.7.12 to version 3.7.14. Update Argo Workflows versions 4.0.0-rc1 through 4.0.4 to version 4.0.5.