CVE-2026-23960
Argo Workflows affected by stored XSS in the artifact directory listing
EPSS 0.06%
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.
How to fix CVE-2026-23960
To remediate CVE-2026-23960, upgrade the affected package to a fixed version below.
- Bitnami/argo-workflows—upgrade to 3.6.17 or later
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 3.6.17 or later
- —upgrade to 3.6.17 or later
Is CVE-2026-23960 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 3.6.17, >= 3.7.0, < 3.7.8
- from 0, <= 2.5.3-rc4
- from 0
- from 0
- from 0, < 3.6.17
- from 0, < 3.6.17, >= 3.7.0, < 3.7.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (7)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-23960
- PATCHgithub.com/argoproj/argo-workflows
- WEBgithub.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244
- WEBgithub.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17