Stored XSS Vulnerability in Argo Workflows by Argo Project
CVE-2026-23960

7.3HIGH

Key Information:

Vendor

Argoproj

Status
Argo-workflows
Vendor
CVE Published:
21 January 2026

What is CVE-2026-23960?

Argo Workflows, an open-source container-native workflow engine designed for orchestrating parallel jobs on Kubernetes, suffers from a stored XSS vulnerability in its artifact directory listing. This flaw, present in versions prior to 3.6.17 and 3.7.8, allows any workflow author to embed malicious JavaScript that executes in the context of another user's browser when accessing affected pages under the Argo Server origin. As a result, it may enable the attacker to perform API actions with the victim's privileges, significantly compromising user account security. The issue is addressed in the aforementioned versions, highlighting the importance of keeping systems up-to-date.

Affected Version(s)

argo-workflows < 3.6.17 < 3.6.17

argo-workflows >= 3.7.0, < 3.7.8 < 3.7.0, 3.7.8

References

https://github.com/argoproj/argo-workflows/security/advis...
x_refsource_CONFIRM
https://github.com/argoproj/argo-workflows/commit/159a5c5...
x_refsource_MISC
https://github.com/argoproj/argo-workflows/blob/9872c296d...
x_refsource_MISC

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.