Home / Vulnerability Intelligence / CVE-2026-42296

CVE-2026-42296 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 9, 2026

Argo Workflows - Broken Access Control

Published: May 9, 2026Updated: May 9, 2026Remote Exploitable

Overview

Argo Workflows < 3.7.14 and < 4.0.5 contain a broken access control vulnerability caused by bypassing templateReferencing: Strict, letting users with create Workflow permission escalate privileges and modify pod security settings, exploit requires create Workflow permission.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Users with create Workflow permission can escalate privileges and modify pod security settings, potentially compromising cluster security.

Mitigation

Upgrade to versions 3.7.14 or 4.0.5 or later.

References

https://github.com/argoproj/argo-workflows/commit/534f4ff1cbd86908e8ff76d97d553ad5a49a950d
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14
https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3775-99mw-8rp4

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42296
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: new

CWE

CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N