Argo Workflows Crash Loop: Malformed Annotation Halts Processing
The National Vulnerability Database has detailed CVE-2026-40886, a high-severity vulnerability (CVSS 7.7) affecting Argo Workflows versions 3.6.5 to 4.0.4. This flaw, categorized under CWE-129 (Improper Handling of Array Index), stems from an unchecked array index within the podGCFromPod() function. Specifically, a malformed workflows.argoproj.io/pod-gc-strategy annotation on a workflow pod can trigger a controller-wide panic.
This isn’t just a minor hiccup; the panic occurs outside the controller’s recovery scope, leading to a complete crash of the entire controller process. Worse, the poisoned pod persists across restarts, causing a persistent crash loop. The result? All workflow processing grinds to a halt until the offending pod is manually identified and deleted. This effectively creates a denial of service for any environment relying on Argo Workflows for orchestration.
Defenders need to understand the attacker’s calculus here: this is an availability play. While not directly leading to data exfiltration or arbitrary code execution, it provides a straightforward way to disrupt critical Kubernetes-native operations. The vulnerability is addressed in Argo Workflows versions 4.0.5 and 3.7.14.
What This Means For You
- If your organization uses Argo Workflows for orchestrating Kubernetes jobs, you are exposed to a critical availability risk. Immediately identify all deployments running versions between 3.6.5 and 4.0.4. Prioritize patching to 4.0.5 or 3.7.14 to prevent a malicious or malformed annotation from creating a persistent crash loop, halting all your workflow processing.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Argo Workflows Crash Loop via Malformed Annotation - CVE-2026-40886
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40886 | DoS | Argo Workflows versions 3.6.5 to 4.0.4 |
| CVE-2026-40886 | DoS | Unchecked array index in podGCFromPod() function |
| CVE-2026-40886 | DoS | Malformed workflows.argoproj.io/pod-gc-strategy annotation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Critical RCE Flaw in radare2-mcp: Command Injection via JSON-RPC
CVE-2026-6942 — radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command...
CVE-2026-6941 — Its Project Notes Handling That Path Traversal
CVE-2026-6941 — radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside...
Radare2 Path Traversal Flaw: Local Attackers Can Delete Arbitrary Directories
CVE-2026-6940 — radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying...