CVE-2026-42183 Unknown Vendor CVE debrief

Who should care

Operators and administrators running Argo Workflows 4.0.0 through 4.0.4, especially if SSO_DELEGATE_RBAC_TO_NAMESPACE=true and namespace-level RBAC is in use.

Technical summary

The vulnerability is a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization(). According to the supplied advisory description, the panic can occur for SSO users whose claims match a namespace-level RBAC rule but do not match an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true. The weakness is mapped to CWE-476. The result is a denial of service via server panic rather than code execution.

Defensive priority

Low overall severity, but patch promptly if you use the affected SSO/RBAC delegation path because the failure mode is a service-impacting panic.

Recommended defensive actions

• Upgrade Argo Workflows to version 4.0.5 or later.
• Check whether SSO_DELEGATE_RBAC_TO_NAMESPACE=true is enabled in your deployment.
• Review namespace-level and SSO-namespace RBAC mappings for any environments using delegated RBAC.
• Monitor workflow controller/server logs for panic traces related to gatekeeper authorization.
• Validate the upgrade in staging before rolling it into production.

Evidence notes

The supplied NVD record lists CVE-2026-42183 as received on 2026-05-09 and references a GitHub security advisory, a fix commit, and the Argo Workflows v4.0.5 release. NVD also supplies a CVSS v4.0 vector and a CWE-476 classification. The public description states the affected range is 4.0.0 to before 4.0.5 and that the issue is fixed in 4.0.5.

Official resources