fix(security): cherry-pick CVE-2026-31892 and CVE-2026-28229 fixes#341
Merged
jessesuen merged 3 commits intoMay 4, 2026
Merged
Conversation
podSpecPatch on a user-submitted Workflow bypasses all security settings defined in the referenced WorkflowTemplate, even when templateReferencing is set to Strict or Secure. The Strict mode check only verifies that workflowTemplateRef is present but does not inspect other spec fields that can override the template. With this commit, workflows that include podSpecPatch when the controller requires template referencing are rejected. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi> Co-authored-by: Ville Vesilehto <ville@vesilehto.fi>
The informer-based caching introduced in f22ae3b bypassed caller authorization checks when reading templates. This adds explicit auth.CanI() checks before returning data from the informer cache, ensuring proper authorization while preserving performance benefits. Signed-off-by: Alan Clucas <alan@clucas.org>
The cherry-picked test from upstream (commit 9064c7f) was written against a newer codebase that uses the `logging` package and a 3-arg signature for `newWorkflowOperationCtx`. Adapt the test to use release-3.7.10's existing API: `context.Background()` and `newWorkflowOperationCtx(wf, controller)`. The security fix in operator.go is unchanged. All 4 sub-tests pass.
jessesuen
approved these changes
May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #N/A
Motivation
The akuity v3.7.10 build currently covers 4 of the 6 CVEs that are fixed in v3.7.11. Two High-severity first-party security fixes are only present in the upstream `release-3.7.11` branch:
We cannot simply move users to v3.7.11 because v3.7.11 introduces a separate runtime-breaking change (commit `477442702` — strict expression resolution for `tasks.`/`steps.`). This PR cherry-picks just the two security fixes without pulling in the runtime breakage.
Modifications
Verification
Documentation
No documentation changes needed — these are scoped security backports.