PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23960 Argoproj CVE debrief

CVE-2026-23960 is a high-severity vulnerability in Argo Workflows, an open-source container-native workflow engine for Kubernetes. The vulnerability allows stored XSS attacks in the artifact directory listing, enabling any workflow author to execute arbitrary JavaScript in another user's browser under the Argo Server origin. This could lead to API actions with the victim's privileges. The vulnerability has a CVSS score of 7.3 and is considered high-severity. Versions 3.6.17 and 3.7.8 of Argo Workflows fix the issue.

Vendor
Argoproj
Product
Argo Workflows
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-21
Original CVE updated
2026-06-30
Advisory published
2026-01-21
Advisory updated
2026-06-30

Who should care

Users of Argo Workflows, particularly those who use the artifact directory listing feature, should be aware of this vulnerability. Workflow authors and administrators should take steps to mitigate the vulnerability by upgrading to a fixed version of Argo Workflows. Additionally, users who have already been affected by this vulnerability should take steps to remediate the issue.

Technical summary

CVE-2026-23960 is a stored XSS vulnerability in Argo Workflows. The vulnerability exists in the artifact directory listing feature and allows workflow authors to execute arbitrary JavaScript in another user's browser. The vulnerability has a CVSS score of 7.3 and is considered high-severity. The issue is fixed in versions 3.6.17 and 3.7.8 of Argo Workflows. Users should upgrade to a fixed version to mitigate the vulnerability.

Defensive priority

High-priority defensive actions are recommended to mitigate this vulnerability. Users should upgrade to a fixed version of Argo Workflows (3.6.17 or 3.7.8) as soon as possible. Additionally, users should monitor their systems for suspicious activity and take steps to remediate any potential issues.

Recommended defensive actions

  • Upgrade to Argo Workflows version 3.6.17 or 3.7.8
  • Monitor systems for suspicious activity
  • Remediate any potential issues
  • Restrict access to the artifact directory listing feature
  • Implement additional security measures to prevent XSS attacks

Evidence notes

The vulnerability is documented in the CVE record and the NVD detail page. The issue is fixed in versions 3.6.17 and 3.7.8 of Argo Workflows. Users should consult the official documentation and security advisories for more information.

Official resources

This article is AI-assisted and based on the supplied source corpus.