Nixpkgs security tracker

Untriaged

Permalink CVE-2026-23960

created 2 months, 4 weeks ago

Argo Workflows affected by stored XSS in the artifact directory listing

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82 x_refsource_CONFIRM
https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17 x_refsource_MISC
https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244 x_refsource_MISC
https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17 x_refsource_MISC
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8 x_refsource_MISC

Affected products

argo-workflows

==>= 3.7.0, < 3.7.8
==< 3.6.17

Matching in nixpkgs

pkgs.argo-workflows

Container native workflow engine for Kubernetes

nixos-unstable 3.6.10
- nixpkgs-unstable 3.6.10
- nixos-unstable-small 3.6.10
nixos-25.11 3.6.10
- nixpkgs-25.11-darwin 3.6.10

Package maintainers

@groodt Greg Roodt <groodt@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.argo-workflows

Package maintainers