Fluid Attacks Database

Description

Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)

Summary

A nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true.

Details

When getServiceAccount(claims, ssoNamespace) returns nil (no matching rule), the error is suppressed and loginAccount remains nil. If RBAC delegation finds a matching namespaceAccount, line 304 calls precedence(loginAccount) which unconditionally accesses serviceAccount.Annotations — nil pointer dereference.

Affected code (v4.0.4):

// gatekeeper.go:304
} else if precedence(namespaceAccount) > precedence(loginAccount) {
    // loginAccount is nil here -> precedence(nil) -> PANIC

// gatekeeper.go:232-234
func precedence(serviceAccount *corev1.ServiceAccount) int {
    i, _ := strconv.Atoi(serviceAccount.Annotations[common.AnnotationKeyRBACRulePrecedence])
    return i...

PoC

Live-tested 2026-04-17: kind cluster, Argo Workflows v4.0.4, Dex v2.43.1 OIDC provider.

Deploy Argo Workflows with --auth-mode=sso --auth-mode=client, SSO pointing to Dex, RBAC enabled.

Set SSO_DELEGATE_RBAC_TO_NAMESPACE=true on the argo-server deployment.

Create an RBAC ServiceAccount with workflows.argoproj.io/rbac-rule: "true" annotation in a target namespace (e.g., target-ns).

Do not create a matching RBAC rule in the SSO namespace (argo).

Authenticate via the Dex SSO flow.

Request GET /api/v1/workflows/target-ns with the SSO session cookie.

Server returns HTTP 500: {"code":13,"message":"runtime error: invalid memory address or nil pointer dereference"}

Server logs: Recovered from panic with stack trace at gatekeeper.go:233 (precedence()) called from gatekeeper.go:304.

Every subsequent API request from affected SSO users triggers the same panic.

Impact

Permanent denial of service for any SSO user whose claims don't match SSO-namespace RBAC but do match a target namespace rule. Realistic in multi-tenant deployments with per-namespace RBAC. The gRPC recovery interceptor catches the panic so the server process survives, but the affected user gets HTTP 500 on every request.

Suggested Fix

Add nil check: if loginAccount == nil || precedence(namespaceAccount) > precedence(loginAccount)

AI Disclosure

This advisory was prepared with AI assistance (Claude Code, Anthropic).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/argoproj/argo-workflows/v4	>=4.0.0 <4.0.5	4.0.5

Aliases

1. CVE-2026-421832. NVD-2026-421833. OSV-2026-421834. GHSA-p4gq-3vxj-f4jq5. GCVE-2026-42183

References

1. https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p4gq-3vxj-f4jq2. https://github.com/argoproj/argo-workflows/commit/c4cc17d0c034fa9a9cc01ef1af6c8016c93071d43. https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.