CVE-2026-23960
Unknown
Unknown - Not Provided
Stored XSS in Argo Workflows Artifact Directory Enables Privilege Escalation
Publication date: 2026-01-21
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another userβs browser under the Argo Server origin, enabling API actions with the victimβs privileges. Versions 3.6.17 and 3.7.8 fix the issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argoproj | argo_workflows | to 3.6.17 (exc) |
| argoproj | argo_workflows | From 3.7.0 (inc) to 3.7.8 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
