CVE-2026-23960 - Vulnerability Details

- Argo Workflows affected by stored XSS in the artifact directory listing

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

Published: 2026-01-21

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Argo Workflows suffers a stored cross‑site scripting flaw that appears in the artifact directory listing. The vulnerability, classified as CWE‑79, allows a workflow author to embed malicious JavaScript that is executed in the victim’s browser under the Argo Server origin. The injected script can then perform API calls using the victim’s privileges, effectively giving the attacker the ability to act on behalf of the user and potentially compromise workflow or cluster resources.

Affected Systems

The flaw exists in all releases of Argo Workflows before v3.6.17 and v3.7.8. Any installation of these affected versions that exposes artifact listings is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.3 and an EPSS score of less than 1 %, indicating a moderate severity but low current exploitation probability, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authorized workflow author who can create or modify a workflow that presents a malicious artifact; once a victim views the listing, the stored XSS payload runs in the victim’s browser and enables the attacker to perform privileged API actions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

argoproj

argo-workflows

affected

Version	Status	Constraints
`< 3.6.17`	affected	—
`>= 3.7.0, < 3.7.8`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:argoproj:argo_workflows::::::go::*
	cpe:2.3:a:argoproj:argo_workflows::::::go::*

No data.

Vendor	Product	Confidence	Versions
Argoproj	Argo-workflows	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Argo Workflows to version 3.6.17 or 3.7.8, which contain the patch for the stored XSS flaw.
If an upgrade is not immediately possible, restrict the ability to create or modify workflows to trusted users and monitor artifact listings for unexpected filenames or content.
Apply general input validation and output encoding practices for artifact directory listings to mitigate potential cross‑site scripting, consistent with CWE‑79 remediation guidelines.

Generated by OpenCVE AI on April 18, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-cv78-6m8q-ph82	Argo Workflows affected by stored XSS in the artifact directory listing

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00062.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244
https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17
https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82
https://nvd.nist.gov/vuln/detail/CVE-2026-23960
https://www.cve.org/CVERecord?id=CVE-2026-23960

History

Tue, 17 Feb 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Argoproj argo Workflows
CPEs		cpe:2.3:a:argoproj:argo_workflows::::::go::*
Vendors & Products		Argoproj argo Workflows
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Argoproj Argoproj argo-workflows
Vendors & Products		Argoproj Argoproj argo-workflows

Fri, 23 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-23960 https://www.cve.org/CVERecord?id=CVE-2026-23960
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 21 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.
Title		Argo Workflows affected by stored XSS in the artifact directory listing
Weaknesses		CWE-79
References		https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244 https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17 https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17 https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8 https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82
Metrics		cvssV4_0 `{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Argoproj Argo-workflows Argo Workflows

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-21T22:02:50.491Z

Updated: 2026-01-22T16:49:43.075Z

Reserved: 2026-01-19T14:49:06.313Z

Link: CVE-2026-23960

Vulnrichment

Updated: 2026-01-22T15:10:54.480Z

NVD

Status : Analyzed

Published: 2026-01-21T22:15:50.627

Modified: 2026-02-17T16:56:21.320

Link: CVE-2026-23960

Redhat

Severity : Important

Publid Date: 2026-01-21T22:02:50Z

Links: CVE-2026-23960 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object