Skip to main content

Argo Workflows CVE-2026-42183

LOW
NULL Pointer Dereference (CWE-476)
2026-05-04 https://github.com/argoproj/argo-workflows GHSA-p4gq-3vxj-f4jq
Denial Of Service Null Pointer Dereference
2.3
CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 09, 2026 - 04:22 NVD
2.3 (LOW)
Source Code Evidence Fetched
May 04, 2026 - 21:00 vuln.today
Analysis Generated
May 04, 2026 - 21:00 vuln.today

DescriptionNVD

Summary

A nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true.

Details

When getServiceAccount(claims, ssoNamespace) returns nil (no matching rule), the error is suppressed and loginAccount remains nil. If RBAC delegation finds a matching namespaceAccount, line 304 calls precedence(loginAccount) which unconditionally accesses serviceAccount.Annotations - nil pointer dereference.

Affected code (v4.0.4):

go
// gatekeeper.go:304
} else if precedence(namespaceAccount) > precedence(loginAccount) {
    // loginAccount is nil here -> precedence(nil) -> PANIC

// gatekeeper.go:232-234
func precedence(serviceAccount *corev1.ServiceAccount) int {
    i, _ := strconv.Atoi(serviceAccount.Annotations[common.AnnotationKeyRBACRulePrecedence])
    return i
}

PoC

Live-tested 2026-04-17: kind cluster, Argo Workflows v4.0.4, Dex v2.43.1 OIDC provider.

  1. Deploy Argo Workflows with --auth-mode=sso --auth-mode=client, SSO pointing to Dex, RBAC enabled.
  2. Set SSO_DELEGATE_RBAC_TO_NAMESPACE=true on the argo-server deployment.
  3. Create an RBAC ServiceAccount with workflows.argoproj.io/rbac-rule: "true" annotation in a target namespace (e.g., target-ns).
  4. Do not create a matching RBAC rule in the SSO namespace (argo).
  5. Authenticate via the Dex SSO flow.
  6. Request GET /api/v1/workflows/target-ns with the SSO session cookie.
  7. Server returns HTTP 500: {"code":13,"message":"runtime error: invalid memory address or nil pointer dereference"}
  8. Server logs: Recovered from panic with stack trace at gatekeeper.go:233 (precedence()) called from gatekeeper.go:304.

Every subsequent API request from affected SSO users triggers the same panic.

Impact

Permanent denial of service for any SSO user whose claims don't match SSO-namespace RBAC but do match a target namespace rule. Realistic in multi-tenant deployments with per-namespace RBAC. The gRPC recovery interceptor catches the panic so the server process survives, but the affected user gets HTTP 500 on every request.

Suggested Fix

Add nil check: if loginAccount == nil || precedence(namespaceAccount) > precedence(loginAccount)

AI Disclosure

This advisory was prepared with AI assistance (Claude Code, Anthropic).

AnalysisAI

Denial of service via nil pointer dereference in Argo Workflows 4.0.0-4.0.4 affects SSO users with RBAC namespace delegation enabled when their identity claims match a namespace-level RBAC rule but not an SSO-namespace rule. The gatekeeper.go rbacAuthorization() function unconditionally dereferences a nil serviceAccount pointer when comparing rule precedence, causing an HTTP 500 panic on every API request from the affected user. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42183 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy