CVE-2026-23960 | THREATINT

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

PUBLISHED Reserved 2026-01-19 | Published 2026-01-21 | Updated 2026-01-22 | Assigner GitHub_M

HIGH: 7.3CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 3.6.17

affected

>= 3.7.0, < 3.7.8

affected

References

github.com/...kflows/security/advisories/GHSA-cv78-6m8q-ph82

github.com/...ommit/159a5c56285ecd4d3bb0a67aeef4507779a44e17

github.com/...de9fc30797/server/artifacts/artifact_server.go

github.com/argoproj/argo-workflows/releases/tag/v3.6.17

github.com/argoproj/argo-workflows/releases/tag/v3.7.8

cve.org (CVE-2026-23960)

nvd.nist.gov (CVE-2026-23960)

Download JSON