Auth bypass in Argoproj Argo-workflows

CVE-2026-31892

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in…

Vulnerability class: Broken Access Control

EPSS: 0.000 (7.9th percentile) — read the EPSS interpretation.

Affected products

Argoproj Argo-workflows — versions >= 4.0.0, < 4.0.2, >= 2.9.0, < 3.7.11

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3wf5-g532-rcrr (x_refsource_CONFIRM)