CVE-2026-42183 Overview
CVE-2026-42183 is a nil pointer dereference vulnerability [CWE-476] in Argo Workflows, an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. The flaw resides in the rbacAuthorization() function within server/auth/gatekeeper.go and affects versions 4.0.0 through 4.0.4. When SSO_DELEGATE_RBAC_TO_NAMESPACE=true, an authenticated SSO user whose claims match a namespace-level RBAC rule but not an SSO-namespace rule triggers a server panic. The panic results in a denial of service condition for the Argo Workflows server. The issue is patched in version 4.0.5.
Critical Impact
Authenticated SSO users with specific claim configurations can crash the Argo Workflows server, causing denial of service for workflow orchestration on Kubernetes clusters.
Affected Products
- Argoproj Argo Workflows version 4.0.0
- Argoproj Argo Workflows versions through 4.0.4
- Argo Workflows deployments with SSO_DELEGATE_RBAC_TO_NAMESPACE=true
Discovery Timeline
- 2026-05-09 - CVE-2026-42183 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42183
Vulnerability Analysis
The vulnerability exists in the SSO RBAC delegation logic of the Argo Workflows server. When SSO delegation to namespace RBAC is enabled, the rbacAuthorization() function in server/auth/gatekeeper.go evaluates both a login-level service account and a namespace-level service account. The code compares precedence between the two accounts to select the delegated account. The comparison precedence(namespaceAccount) > precedence(loginAccount) dereferences loginAccount without verifying it is non-nil. When an SSO user's claims match a namespace-level RBAC rule but no SSO-namespace rule produces a valid loginAccount, the dereference triggers a Go runtime panic. The panic terminates the request handler and disrupts server availability.
Root Cause
The root cause is a missing nil check on the loginAccount pointer before invoking precedence() on it. The fix adds an explicit loginAccount == nil short-circuit to the conditional, falling through to delegate to the namespace account when no login account exists.
Attack Vector
An authenticated SSO user sends a request to the Argo Workflows API server with claims that map to a namespace-level RBAC rule but lack a corresponding SSO-namespace rule. The request reaches rbacAuthorization(), which produces a nil loginAccount. The subsequent precedence comparison panics, crashing the request handler.
// Patch from server/auth/gatekeeper.go
namespaceAccount, err := s.getServiceAccount(claims, getNamespace(req))
if err != nil {
logger.WithError(err).Info(ctx, "Error while SSO Delegation")
- } else if precedence(namespaceAccount) > precedence(loginAccount) {
+ } else if loginAccount == nil || precedence(namespaceAccount) > precedence(loginAccount) {
delegatedAccount = namespaceAccount
ssoDelegated = true
}
Source: GitHub Commit c4cc17d
Detection Methods for CVE-2026-42183
Indicators of Compromise
- Argo Workflows server logs containing Go runtime panic stack traces referencing server/auth/gatekeeper.go and rbacAuthorization.
- Repeated HTTP 5xx responses or dropped connections from the Argo Workflows API server following SSO authentication requests.
- Kubernetes pod restarts or crash loops on the argo-server deployment correlated with SSO login activity.
Detection Strategies
- Monitor Argo Workflows server logs for panic messages and runtime error: invalid memory address or nil pointer dereference entries.
- Audit SSO claim-to-RBAC mappings to identify users whose claims match namespace rules without corresponding SSO-namespace rules.
- Track Argo Workflows server pod restart counts and readiness probe failures in Kubernetes monitoring.
Monitoring Recommendations
- Alert on Argo Workflows server availability drops and pod restart spikes in Prometheus or equivalent telemetry.
- Correlate SSO authentication events with subsequent server crashes to identify trigger patterns.
- Review the SSO_DELEGATE_RBAC_TO_NAMESPACE configuration setting across all Argo Workflows deployments.
How to Mitigate CVE-2026-42183
Immediate Actions Required
- Upgrade Argo Workflows to version 4.0.5 or later, which contains the nil pointer fix.
- Inventory all Argo Workflows installations and verify the SSO_DELEGATE_RBAC_TO_NAMESPACE setting.
- Review SSO RBAC rule definitions to ensure SSO-namespace rules exist for all claim sets matching namespace-level rules.
Patch Information
The vulnerability is patched in Argo Workflows version 4.0.5. The fix adds a nil check on loginAccount before invoking the precedence() comparison. See the GitHub Security Advisory GHSA-p4gq-3vxj-f4jq and the GitHub Release v4.0.5 for full details.
Workarounds
- Disable SSO RBAC namespace delegation by setting SSO_DELEGATE_RBAC_TO_NAMESPACE=false until patching is complete.
- Restrict SSO access to users whose claims map to both SSO-namespace and namespace-level RBAC rules.
- Place the Argo Workflows API server behind a reverse proxy that can rate-limit authenticated requests to reduce DoS impact.
# Upgrade Argo Workflows using Helm to the patched release
helm repo update
helm upgrade argo-workflows argo/argo-workflows \
--namespace argo \
--version 4.0.5
# Temporary workaround: disable SSO RBAC namespace delegation
kubectl set env deployment/argo-server \
-n argo \
SSO_DELEGATE_RBAC_TO_NAMESPACE=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
