CVE-2026-23960: Argo Workflows affected by stored XSS in the artifact directory listing
(updated )
Stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges.
References
- github.com/advisories/GHSA-cv78-6m8q-ph82
- github.com/argoproj/argo-workflows
- github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go
- github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17
- github.com/argoproj/argo-workflows/releases/tag/v3.6.17
- github.com/argoproj/argo-workflows/releases/tag/v3.7.8
- github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82
- nvd.nist.gov/vuln/detail/CVE-2026-23960
Code Behaviors & Features
Detect and mitigate CVE-2026-23960 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →