CVE-2026-42183

Name of the Vulnerable Software and Affected Versions Argo Workflows versions 4.0.0 through 4.0.4

Description A nil pointer dereference in the rbacAuthorization() function within server/auth/gatekeeper.go can lead to a denial of service for SSO users. This occurs when SSO DELEGATE RBAC TO NAMESPACE is set to true and a user's claims match a namespace-level RBAC rule but not an SSO-namespace rule. Specifically, when the getServiceAccount(claims, ssoNamespace) function returns nil, the loginAccount variable remains nil; if a matching namespaceAccount is found, the precedence() function is called with the nil loginAccount, causing a panic when attempting to access serviceAccount.Annotations.

Recommendations Update Argo Workflows to version 4.0.5.