🟠 高危 | CVE-2026-54526 — Argo Workflows is an open source container-native ...
🟠 《高危安全漏洞:CVE-2026-54526》
CVSS 评分: 高危(8.9) 状态: Received 发布时间: 2026-07-16
漏洞描述
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 3.7.15 and 4.0.6, the allow-list fix for CVE-2026-31892 is incomplete because workflow/util/merge.go ValidateUserOverrides and SanitizeUserWorkflowSpec walk only the top-level fields of WorkflowSpec via reflection, and WorkflowSpec.ArtifactGC is allow-listed wholesale; the struct behind that field, WorkflowLevelArtifactGC, has a PodSpecPatch sub-field whose contents flow unmodified into util.ApplyPodSpecPatch on the artifact-GC pod, the same sink the original fix closed for WorkflowSpec.PodSpecPatch, so a user submitting a Workflow under templateReferencing: Strict or Secure (against a referenced WorkflowTemplate that declares an output artifact and setting spec.artifactGC.strategy: OnWorkflowCompletion) can still inject an arbitrary strategic merge patch into the artifact-GC pod, including hostPath volumes, privileged: true, arbitrary image and command, and hostNetwork: true, defeating the stated purpose of Strict/Secure reference mode. This issue is fixed in versions 3.7.15 and 4.0.6.
🔍 技术细节
| 字段 | 值 |
|---|---|
| CVE ID | CVE-2026-54526 |
| CVSS 评分 | 8.9 🟠 |
| 严重程度 | 高危 |
| CVSS 向量 | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| CWE 分类 | CWE-284 |
| 发布时间 | 2026-07-16 |
| 最后更新 | 2026-07-16 |
| 状态 | Received |
| 数据来源 | security-advisories@github.com |
🔗 参考链接
https://github.com/argoproj/argo-workflows/commit/277e9cef0ad16d7eaaab253573d0695951a65dbd
https://github.com/argoproj/argo-workflows/commit/358cc3968c8f06f1be0967e41df191088db0b662
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.15
https://github.com/argoproj/argo-workflows/releases/tag/v4.0.6
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-48p8-g2fx-3wwm