FKIE_CVE-2026-24748

Vulnerability from fkie_nvd - Published: 2026-01-27 22:15 - Updated: 2026-02-25 17:59
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Summary
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.
References
security-advisories@github.comhttps://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772Patch
security-advisories@github.comhttps://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7Patch
security-advisories@github.comhttps://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8cPatch
security-advisories@github.comhttps://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5Vendor Advisory
Impacted products
Vendor Product Version
akuity kargo *
akuity kargo *
akuity kargo *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*",
              "matchCriteriaId": "E523C042-4A9D-4F89-8D9D-AAA82F28239C",
              "versionEndExcluding": "1.6.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*",
              "matchCriteriaId": "199BD7B6-D9D9-4E14-A47F-54E8EDA91D42",
              "versionEndExcluding": "1.7.7",
              "versionStartIncluding": "1.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*",
              "matchCriteriaId": "87AFF1D2-3872-463C-BA4C-D6C31C3B9EBC",
              "versionEndExcluding": "1.8.7",
              "versionStartIncluding": "1.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity.  This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue."
    },
    {
      "lang": "es",
      "value": "Kargo gestiona y automatiza la promoci\u00f3n de artefactos de software. Antes de las versiones 1.8.7, 1.7.7 y 1.6.3, se encontr\u00f3 un error con las comprobaciones de autenticaci\u00f3n en el endpoint de la API \u0027GetConfig()\u0027. Esto permit\u00eda a usuarios no autenticados acceder a este endpoint especificando una cabecera \u0027Authorization\u0027 con cualquier valor de token \u0027Bearer\u0027 no vac\u00edo, independientemente de su validez. Esta vulnerabilidad permit\u00eda la exfiltraci\u00f3n de datos de configuraci\u00f3n, como endpoints para cl\u00fasteres de Argo CD conectados. Estos datos podr\u00edan permitir a un atacante enumerar URLs de cl\u00faster y espacios de nombres para su uso en ataques posteriores. Adem\u00e1s, el mismo error afectaba al endpoint \u0027RefreshResource\u0027. Este endpoint no conduce a ninguna revelaci\u00f3n de informaci\u00f3n, pero podr\u00eda ser utilizado por un atacante no autenticado para realizar un ataque de estilo denegaci\u00f3n de servicio contra la API de Kargo. \u0027RefreshResource\u0027 establece una anotaci\u00f3n en recursos espec\u00edficos de Kubernetes para activar reconciliaciones. Si se ejecuta en un bucle constante, esto tambi\u00e9n podr\u00eda ralentizar las solicitudes leg\u00edtimas al servidor de la API de Kubernetes. Este problema ha sido parcheado en las versiones de Kargo 1.8.7, 1.7.7 y 1.6.3. No hay soluciones alternativas para este problema."
    }
  ],
  "id": "CVE-2026-24748",
  "lastModified": "2026-02-25T17:59:22.477",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-27T22:15:56.630",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.