CVE-2026-42296

Name of the Vulnerable Software and Affected Versions Argo Workflows versions prior to 3.7.14 Argo Workflows versions prior to 4.0.5

Description A user with create Workflow permission can bypass the templateReferencing: Strict and Secure restrictions. This occurs because the system only blocks the podSpecPatch field, allowing other WorkflowSpec fields to be merged and applied to pods. An attacker can use this to obtain host network access, switch service accounts, override pod security contexts, add tolerations to schedule pods on control-plane nodes, or enable service account token mounting. The bypass is possible when a workflow references a hardened template that relies on default values for these fields. The affected fields include hostNetwork, securityContext, serviceAccountName, automountServiceAccountToken, tolerations, dnsPolicy, schedulerName, hostAliases, and volumes.

Recommendations Update to version 3.7.14 or later. Update to version 4.0.5 or later.