CVE-2026-42183: Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)
A nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true.
References
- github.com/advisories/GHSA-p4gq-3vxj-f4jq
- github.com/argoproj/argo-workflows
- github.com/argoproj/argo-workflows/commit/c4cc17d0c034fa9a9cc01ef1af6c8016c93071d4
- github.com/argoproj/argo-workflows/releases/tag/v4.0.5
- github.com/argoproj/argo-workflows/security/advisories/GHSA-p4gq-3vxj-f4jq
- nvd.nist.gov/vuln/detail/CVE-2026-42183
Code Behaviors & Features
Detect and mitigate CVE-2026-42183 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →