Denial of Service Vulnerability in Argo Workflows by Argo Project
CVE-2026-42183

2.3LOW

Key Information:

Vendor

Argoproj

Status
Argo-workflows
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42183?

In versions prior to 4.0.5, Argo Workflows experiences a critical flaw where a nil pointer dereference in the RBAC authorization logic can lead to a denial of service for SSO users. This occurs when user claims allow access under a namespace-level RBAC rule but do not match the corresponding SSO namespace rule, particularly with the SSO_DELEGATE_RBAC_TO_NAMESPACE setting enabled. The issue has been resolved in version 4.0.5.

Affected Version(s)

argo-workflows >= 4.0.0, < 4.0.5

References

https://github.com/argoproj/argo-workflows/security/advis...
x_refsource_CONFIRM
https://github.com/argoproj/argo-workflows/commit/c4cc17d...
x_refsource_MISC
https://github.com/argoproj/argo-workflows/releases/tag/v...
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.