Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.
References (5)
Core 5
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82
Patch x_refsource_misc
https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17
Product x_refsource_misc
https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244
Product, Release Notes x_refsource_misc
https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17
Product, Release Notes x_refsource_misc
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8
Scores
CVSS v3
5.4
EPSS
0.0006
EPSS Percentile
19.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (3)
argoproj/argo-workflows
0Go
argoproj/argo-workflows
0 - 3.6.17Go
argoproj/argo_workflows
< 3.6.17
Published
Jan 21, 2026
Tracked Since
Feb 18, 2026