Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-24748
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-27 Jan, 2026 | 22:15
Updated At-25 Feb, 2026 | 17:59

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
CPE Matches
akuity
akuity
>>kargo>>Versions before 1.6.3(exclusive)
cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*
akuity
akuity
>>kargo>>Versions from 1.7.0(inclusive) to 1.7.7(exclusive)
cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*
akuity
akuity
>>kargo>>Versions from 1.8.0(inclusive) to 1.8.7(exclusive)
cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*
Weaknesses
CWE IDTypeSource
CWE-863Primarysecurity-advisories@github.com
CWE ID: CWE-863
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772security-advisories@github.com
Patch
https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7security-advisories@github.com
Patch
https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8csecurity-advisories@github.com
Patch
https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5
Source: security-advisories@github.com
Resource:
Vendor Advisory
Change History
0Changes found
Details not found