CVE-2026-24748

HIGH
2026-01-27 [email protected] GHSA-w5wv-wvrp-v5m5
7.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch Released
Feb 25, 2026 - 17:59 nvd
Patch available
CVE Published
Jan 27, 2026 - 22:15 nvd
HIGH 7.2

Tags

Golang Kubernetes Information Disclosure Kargo Suse

Description

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.

Analysis

Kargo's GetConfig() API endpoint fails to validate Bearer token authenticity, allowing unauthenticated attackers to retrieve sensitive configuration data including Argo CD cluster endpoints and namespaces that could facilitate further attacks. The same authentication bypass affects the RefreshResource endpoint, which can be leveraged for denial-of-service attacks. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all Kargo deployments and confirm installed versions against the affected baseline (pre-1.8.7, pre-1.7.7, pre-1.6.3). Within 7 days: Apply available patches to all affected instances or implement compensating controls listed below if patching is blocked. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: 0

Vendor Status

Share

CVE-2026-24748 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy