CVE-2026-23960
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk26th percentile - higher than 26% of all known CVEs
Summary
Stored XSS vulnerability in Argo Workflows allows arbitrary JavaScript execution in another user's browser via artifact directory listing. Affects versions prior to 3.6.17 and 3.7.8.
Risk Assessment
An attacker can hijack the victim's session and perform API actions with their privileges, leading to unauthorized access to data and resources.
Recommendation
Upgrade Argo Workflows to version 3.6.17 or 3.7.8 immediately, which contain the fix for this vulnerability.
Original NVD description (English source)
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

