CVE-2026-24748

EPSS 0.34%
Veröffentlicht 27.01.2026 21:23:53
Zuletzt bearbeitet 25.02.2026 17:59:22
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity.  This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Akuity ≫ Kargo SwPlatformkubernetes Version < 1.6.3

Akuity ≫ Kargo SwPlatformkubernetes Version >= 1.7.0 < 1.7.7

Akuity ≫ Kargo SwPlatformkubernetes Version >= 1.8.0 < 1.8.7

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.259

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	3.9	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5

Vendor Advisory

https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772

Patch

https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7

Patch

https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-24748

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24748

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24748

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24748