PatchSiren cyber security CVE debrief
CVE-2026-23960 Argoproj CVE debrief
CVE-2026-23960 is a high-severity vulnerability in Argo Workflows, an open-source container-native workflow engine for Kubernetes. The vulnerability allows stored XSS attacks in the artifact directory listing, enabling any workflow author to execute arbitrary JavaScript in another user's browser under the Argo Server origin. This could lead to API actions with the victim's privileges. The vulnerability has a CVSS score of 7.3 and is considered high-severity. Versions 3.6.17 and 3.7.8 of Argo Workflows fix the issue.
- Vendor
- Argoproj
- Product
- Argo Workflows
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-21
- Advisory updated
- 2026-06-30
Who should care
Users of Argo Workflows, particularly those who use the artifact directory listing feature, should be aware of this vulnerability. Workflow authors and administrators should take steps to mitigate the vulnerability by upgrading to a fixed version of Argo Workflows. Additionally, users who have already been affected by this vulnerability should take steps to remediate the issue.
Technical summary
CVE-2026-23960 is a stored XSS vulnerability in Argo Workflows. The vulnerability exists in the artifact directory listing feature and allows workflow authors to execute arbitrary JavaScript in another user's browser. The vulnerability has a CVSS score of 7.3 and is considered high-severity. The issue is fixed in versions 3.6.17 and 3.7.8 of Argo Workflows. Users should upgrade to a fixed version to mitigate the vulnerability.
Defensive priority
High-priority defensive actions are recommended to mitigate this vulnerability. Users should upgrade to a fixed version of Argo Workflows (3.6.17 or 3.7.8) as soon as possible. Additionally, users should monitor their systems for suspicious activity and take steps to remediate any potential issues.
Recommended defensive actions
- Upgrade to Argo Workflows version 3.6.17 or 3.7.8
- Monitor systems for suspicious activity
- Remediate any potential issues
- Restrict access to the artifact directory listing feature
- Implement additional security measures to prevent XSS attacks
Evidence notes
The vulnerability is documented in the CVE record and the NVD detail page. The issue is fixed in versions 3.6.17 and 3.7.8 of Argo Workflows. Users should consult the official documentation and security advisories for more information.
Official resources
-
CVE-2026-23960 CVE record
CVE.org
-
CVE-2026-23960 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.