Authenticated users with workflow creation permission can bypass Argo Workflows' templateReferencing Strict security enforcement. Attackers can gain host network access, switch service accounts, override pod security context, and schedule workloads on Kubernetes control plane nodes. Clusters relying on Argo's Strict mode as the primary enforcement layer are fully exposed to full cluster compromise.
Remediation
Upgrade Argo Workflows to patched versions 3.7.14 or 4.0.5 immediately. If you cannot upgrade immediately, enforce supplementary controls via PodSecurity Admission or OPA/Gatekeeper to block risky pod configurations independently.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.