CVE-2026-24748

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24748
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24748.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24748
Aliases
Published
2026-01-27T21:23:53.890Z
Modified
2026-02-02T22:25:53.845189Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator
Summary
Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access
Details

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the GetConfig() API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty Bearer token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the RefreshResource endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. RefreshResource sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24748.json",
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/akuity/kargo

Affected ranges

Type
GIT
Repo
https://github.com/akuity/kargo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a81c37e59d02e66c5f178712f5a0638f61f6ac57
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.6.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/akuity/kargo
Events
Introduced
c460e1d69f32548157ecc901d7475ebf66d52d3f
Fixed
86eac6a10609df66e10abdfa5b4073ee544babab
Database specific 
{
    "versions": [
        {
            "introduced": "1.7.0"
        },
        {
            "fixed": "1.7.7"
        }
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.0-rc.1
v0.1.0-rc.10
v0.1.0-rc.11
v0.1.0-rc.12
v0.1.0-rc.13
v0.1.0-rc.14
v0.1.0-rc.15
v0.1.0-rc.16
v0.1.0-rc.17
v0.1.0-rc.18
v0.1.0-rc.19
v0.1.0-rc.2
v0.1.0-rc.20
v0.1.0-rc.21
v0.1.0-rc.22
v0.1.0-rc.23
v0.1.0-rc.24
v0.1.0-rc.3
v0.1.0-rc.4
v0.1.0-rc.5
v0.1.0-rc.6
v0.1.0-rc.7
v0.1.0-rc.8
v0.1.0-rc.9
v0.1.1-rc.1
v0.1.1-rc.2
v0.2.0
v0.2.0-rc.1
v0.2.0-rc.2
v0.3.0-alpha.1
v0.3.0-rc.1
v0.4.0-rc.1
v0.5.0-rc.1
v0.6.0-rc.1
v0.7.0-rc.1
v0.7.1
v0.8.0-rc.1
v1.*
v1.0.0
v1.0.0-rc.1
v1.0.0-rc.2
v1.0.0-rc.3
v1.0.0-rc.4
v1.0.0-rc.5
v1.1.0-rc.1
v1.1.0-rc.2
v1.1.2-rc.1
v1.2.0-rc.1
v1.2.0-soak-time-preview
v1.4.0-rc.1
v1.5.0-rc.1
v1.6.0
v1.6.0-rc.1
v1.6.0-rc.2
v1.6.0-rc.3
v1.6.0-rc.4
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24748.json"