CVE-2026-42296

HIGH

Argo Workflows < 3.7.14/4.0.5 templateReferencing - Strict Mode Bypass

Title source: manual

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. This defeats the stated purpose of the feature. The practical impact depends on what Kubernetes-level controls are in place. Clusters with PodSecurity admission or OPA/Gatekeeper would independently block some of these (like hostNetwork). Clusters that rely on Argo's Strict mode as the primary enforcement layer are fully exposed. This issue has been patched in versions 3.7.14 and 4.0.5.

References (4)

Core 4

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3775-99mw-8rp4

X_Refsource_Misc x_refsource_misc

https://github.com/argoproj/argo-workflows/commit/534f4ff1cbd86908e8ff76d97d553ad5a49a950d

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14

X_Refsource_Misc x_refsource_misc

https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5

Scores

CVSS v3 8.1

EPSS 0.0003

EPSS Percentile 10.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-863

Status published

Products (5)

argoproj/argo-workflows 0 - 3.7.14Go

argoproj/argo-workflows 4.0.0 - 4.0.5Go

argoproj/argo-workflows < 3.7.14

argoproj/argo-workflows >= 4.0.0, < 4.0.5

argoproj/argo_workflows < 3.7.14

Published May 09, 2026

Tracked Since May 09, 2026