CVSS Score: 8.9 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-31892
CVE-2026-31892 is a high-severity security bypass vulnerability in Argo Workflows that permits authenticated users to override administrative security constraints. By injecting a malicious podSpecPatch payload during workflow submission, attackers can achieve container escape and node-level privilege escalation, defeating the Strict template referencing protections.
Authenticated users can bypass Argo Workflows template restrictions using the podSpecPatch field, leading to privileged container execution and Kubernetes node compromise.
- CWE ID: CWE-863
- CVSS v4.0: 8.9
- Attack Vector: Network (Authenticated)
- Impact: Privilege Escalation / Node Compromise
- Exploit Status: Proof of Concept
- KEV Listed: No
- Argo Workflows Controller
- Kubernetes Nodes running Argo Workflows
- Argo Workflows: 2.9.0 to < 3.7.11 (Fixed in:
3.7.11) - Argo Workflows: 4.0.0 to < 4.0.2 (Fixed in:
4.0.2)
- Implement Kubernetes Admission Controllers (OPA Gatekeeper or Kyverno) to block privileged pods at the cluster level.
- Verify and enforce Strict mode in the Argo Workflows controller configurations.
- Audit existing Role-Based Access Control (RBAC) permissions to restrict 'create workflow' access.
Remediation Steps:
- Upgrade Argo Workflows to version 3.7.11 or 4.0.2.
- Verify the workflow-controller deployment is successfully running the updated image.
- Review historical workflow executions for anomalous usage of the podSpecPatch field.
Generated by CVEReports - Automated Vulnerability Intelligence