Skip to main content

Golang CVE-2026-24748

HIGH
Incorrect Authorization (CWE-863)
2026-01-27 security-advisories@github.com GHSA-w5wv-wvrp-v5m5
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
SUSE
6.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Feb 25, 2026 - 17:59 nvd
Patch available
CVE Published
Jan 27, 2026 - 22:15 nvd
HIGH 7.2

DescriptionGitHub Advisory

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the GetConfig() API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty Bearer token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the RefreshResource endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. RefreshResource sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.

AnalysisAI

Kargo's GetConfig() API endpoint fails to validate Bearer token authenticity, allowing unauthenticated attackers to retrieve sensitive configuration data including Argo CD cluster endpoints and namespaces that could facilitate further attacks. The same authentication bypass affects the RefreshResource endpoint, which can be leveraged for denial-of-service attacks. Versions 1.6.3, 1.7.7, and 1.8.7 and later include patches for this vulnerability.

Technical ContextAI

Classified as CWE-863 (Incorrect Authorization). Affects Kargo. Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the GetConfig() API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty Bearer token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attack

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

More in Golang

View all
CVE-2026-24897 CRITICAL POC
10.0 Jan 28

Erugo file-sharing platform up to version 0.2.14 has a CVSS 10.0 path traversal allowing authenticated users to read any

CVE-2022-50926 CRITICAL POC
9.8 Jan 13

WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie

CVE-2026-28408 CRITICAL POC
9.8 Feb 27

Authentication bypass in WeGIA charitable institution management system before 3.6.5. The adicionar_tipo_docs_atendido.p

CVE-2026-24895 CRITICAL POC
9.8 Feb 12

CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI proc

CVE-2025-66719 CRITICAL POC
9.1 Jan 23

Free5gc NRF 1.4.0 has an authorization bypass in access token generation that allows authenticated users to request toke

CVE-2022-50909 HIGH POC
8.8 Jan 13

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows

CVE-2026-3769 HIGH POC
8.8 Mar 08

Stack-based buffer overflow in Tenda F453 firmware 1.0.0.3 allows remote attackers with valid credentials to achieve una

CVE-2026-3768 HIGH POC
8.8 Mar 08

Stack-based buffer overflow in Tenda F453 firmware version 1.0.0.3 allows authenticated remote attackers to achieve comp

CVE-2025-66292 HIGH POC
8.1 Jan 15

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vu

CVE-2019-25344 HIGH POC
7.8 Feb 12

Mobilego versions up to 8.5.0 is affected by incorrect permission assignment for critical resource (CVSS 7.8).

CVE-2019-25308 HIGH POC
7.8 Feb 11

Mikogo 5.2.2.150317 contains an unquoted service path vulnerability in the Mikogo-Service Windows service configuration.

CVE-2026-26514 HIGH POC
7.5 Mar 04

Remote attackers can inject arbitrary command-line arguments into bird-lg-go's traceroute module through unsanitized use

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-24748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy