Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2026-24748
Good to know:
Date: January 27, 2026
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the "GetConfig()" API endpoint. This allowed unauthenticated users to access this endpoint by specifying an "Authorization" header with any non-empty "Bearer" token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the "RefreshResource" endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. "RefreshResource" sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Incorrect Authorization
CWE-863Top Fix
Upgrade Version
Upgrade to version github.com/akuity/kargo - v1.6.3;github.com/akuity/kargo - v1.7.7;github.com/akuity/kargo - v1.8.7;https://github.com/akuity/kargo.git - v1.8.7;https://github.com/akuity/kargo.git - v1.7.7;https://github.com/akuity/kargo.git - v1.6.3
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | CHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | NONE |
| Availability (A): | LOW |