Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true. This issue has been patched in version 4.0.5.
Published: 2026-05-09
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a nil pointer dereference (CWE-476) in the rbacAuthorization function of the gateway server for Argo Workflows. When an SSO user’s claims match a namespace-level RBAC rule but do not match an SSO-namespace rule, and the SSO_DELEGATE_RBAC_TO_NAMESPACE setting is true, the server panics. This leads to a denial of service for that user, causing request handling to fail until the controller restarts. The impact is limited to loss of service for affected users; it does not allow code execution or data exfiltration.

Affected Systems

The fault affects argoproj’s Argo Workflows, version 4.0.0 through the release immediately preceding 4.0.5. The patch that fixes the issue is published in version 4.0.5 and later releases.

Risk and Exploitability

The CVSS base score of 2.3 signals low severity, and no EPSS data or KEV listing indicates a low likelihood of abuse. Exploitation requires interaction with SSO authentication to trigger the panic, so it is a user-dependent denial of service. While the risk is modest, patching removes the cause of the server crash.

Generated by OpenCVE AI on May 9, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Argo Workflows 4.0.5 or later to apply the fix for the nil pointer dereference.
  • If upgrading cannot occur immediately, set the environment variable SSO_DELEGATE_RBAC_TO_NAMESPACE to false to avoid the failing code path.
  • Review and adjust RBAC rules so that namespace-level rules do not conflict with SSO-namespace rules, reducing the recurrence of panics.

Generated by OpenCVE AI on May 9, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p4gq-3vxj-f4jq Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)
History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Argoproj
Argoproj argo-workflows
Vendors & Products Argoproj
Argoproj argo-workflows

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true. This issue has been patched in version 4.0.5.
Title Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Argoproj Argo-workflows
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:44:10.712Z

Reserved: 2026-04-25T01:53:21.582Z

Link: CVE-2026-42183

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:23.810

Modified: 2026-05-09T04:16:23.810

Link: CVE-2026-42183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T06:00:12Z

Weaknesses