Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-24748

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-27 Jan, 2026 | 21:23
Updated At-28 Jan, 2026 | 21:15
Rejected At-
Credits

Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:27 Jan, 2026 | 21:23
Updated At:28 Jan, 2026 | 21:15
Rejected At:
▼CVE Numbering Authority (CNA)
Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.

Affected Products
Vendor
akuity
Product
kargo
Versions
Affected
  • < 1.6.3
  • >= 1.7.0, < 1.7.7
  • <= 1.8.0, < 1.8.7
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863: Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5
x_refsource_CONFIRM
https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772
x_refsource_MISC
https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7
x_refsource_MISC
https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c
x_refsource_MISC
Hyperlink: https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772
Resource:
x_refsource_MISC
Hyperlink: https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7
Resource:
x_refsource_MISC
Hyperlink: https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:27 Jan, 2026 | 22:15
Updated At:25 Feb, 2026 | 17:59

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
CPE Matches
akuity
akuity
>>kargo>>Versions before 1.6.3(exclusive)
cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*
akuity
akuity
>>kargo>>Versions from 1.7.0(inclusive) to 1.7.7(exclusive)
cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*
akuity
akuity
>>kargo>>Versions from 1.8.0(inclusive) to 1.8.7(exclusive)
cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*
Weaknesses
CWE IDTypeSource
CWE-863Primarysecurity-advisories@github.com
CWE ID: CWE-863
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772security-advisories@github.com
Patch
https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7security-advisories@github.com
Patch
https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8csecurity-advisories@github.com
Patch
https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2026-27112
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.4||CRITICAL
EPSS-0.21% / 42.50%
||
7 Day CHG-0.03%
Published-20 Feb, 2026 | 21:22
Updated-25 Feb, 2026 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints

Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can manifest a bug present in the logic of both endpoints to inject arbitrary resources (of specific types only) into the underlying namespace of an existing Project using the API server's own permissions when that behavior was not intended. Critically, an attacker may exploit this as a vector for elevating their own permissions, which can then be leveraged to achieve remote code execution or secret exfiltration. Exfiltrated artifact repository credentials can be leveraged, in turn, to execute further attacks. In some configurations of the Kargo control plane's underlying Kubernetes cluster, elevated permissions may additionally be leveraged to achieve remote code execution or secret exfiltration using kubectl. This can reduce the complexity of the attack, however, worst case scenarios remain entirely achievable even without this. This vulnerability is fixed in v1.7.8, v1.8.11, and v1.9.3.

Action-Not Available
Vendor-akuityakuity
Product-kargokargo
CWE ID-CWE-863
Incorrect Authorization
Details not found