Skip to main content

Argo Workflows CVE-2026-23960

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-01-21 security-advisories@github.com GHSA-cv78-6m8q-ph82
7.3
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-reachable stored XSS by an authenticated author (PR:L) needing victim interaction (UI:R) and crafted payload (AC:H); runs cross-origin context (S:C) enabling API actions, so C:H/I:H, no real availability impact (A:N).

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

12
Analysis Updated
Jun 30, 2026 - 05:59 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:58 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:58 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 05:58 vuln.today
Analysis Updated
Jun 30, 2026 - 05:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:23 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 03:23 NVD
5.4 (MEDIUM) 7.3 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Feb 17, 2026 - 16:56 vuln.today
Public exploit code
Patch released
Feb 17, 2026 - 16:56 nvd
Patch available
CVE Published
Jan 21, 2026 - 22:15 nvd
MEDIUM 5.4

DescriptionCVE.org

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

AnalysisAI

Stored cross-site scripting in Argo Workflows (CNCF Kubernetes workflow engine) before 3.6.17 and 3.7.8 lets any authenticated workflow author plant malicious JavaScript that executes in another user's browser under the Argo Server origin, hijacking the victim's session to perform privileged API actions on their behalf. Public exploit details exist via the GitHub Security Advisory (GHSA-cv78-6m8q-ph82), but there is no public exploit identified as weaponized and no CISA KEV listing; EPSS is very low at 0.05% (16th percentile). The flaw is patched in 3.6.17 and 3.7.8.

Technical ContextAI

Argo Workflows is an open-source, container-native engine for orchestrating parallel jobs on Kubernetes; its Argo Server component exposes both an API and a web UI. The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS in the artifact directory listing, served by the artifact server code (server/artifacts/artifact_server.go, lines ~194-244 in the referenced commit). Because artifact paths/names rendered in that directory listing are not properly sanitized or encoded, an attacker-controlled value is reflected as live HTML/JavaScript and runs in the trusted Argo Server origin, where it can ride the victim's authenticated session to invoke the Argo API. Affected packages are tracked under CPE cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:* (Go-based distribution).

RemediationAI

Vendor-released patch: upgrade to Argo Workflows 3.6.17 (3.6.x line) or 3.7.8 (3.7.x line), which contain the fix (release notes at https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17 and https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8; fixing commit 159a5c56285ecd4d3bb0a67aeef4507779a44e17). Distro users should apply the corresponding vendor updates (SUSE-SU-2026:0403; Red Hat per CVE-2026-23960). If immediate patching is not possible, reduce exposure by tightening who can author workflows and produce artifacts (restrict Argo RBAC so untrusted/low-trust tenants cannot create workflows that emit attacker-controlled artifact names), and limit who can browse the artifact directory listing in the Argo Server UI - the trade-off is reduced self-service for legitimate users. Operating Argo Server on a dedicated origin/subdomain and behind SSO with short session lifetimes limits the blast radius of session-riding, at the cost of added auth friction; review GHSA-cv78-6m8q-ph82 for vendor-specific guidance.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-23960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy