Vulnerability Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Argoproj | Argo Workflows | < 3.6.17 |
Related Weaknesses (CWE)
References
- https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961edeProduct
- https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef450Patch
- https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17ProductRelease Notes
- https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8ProductRelease Notes
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-phExploitVendor Advisory
FAQ
What is CVE-2026-23960?
CVE-2026-23960 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows...
How severe is CVE-2026-23960?
CVE-2026-23960 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23960?
Check the references section above for vendor advisories and patch information. Affected products include: Argoproj Argo Workflows.