CVE-2026-42183
MEDIUMArgo Workflows: SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)
Title source: cnaDescription
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true. This issue has been patched in version 4.0.5.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p4gq-3vxj-f4jq
X_Refsource_Misc x_refsource_misc
https://github.com/argoproj/argo-workflows/commit/c4cc17d0c034fa9a9cc01ef1af6c8016c93071d4
X_Refsource_Misc x_refsource_misc
https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5
Scores
CVSS v3
6.5
EPSS
0.0038
EPSS Percentile
29.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-476
Status
published
Products (3)
argoproj/argo-workflows
4.0.0 - 4.0.5Go
argoproj/argo-workflows
>= 4.0.0, < 4.0.5
argoproj/argo_workflows
4.0.0 - 4.0.5
Published
May 09, 2026
Tracked Since
May 09, 2026