CVE-2026-24748: Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access
(updated )
A bug was found with authentication checks on the GetConfig() API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty Bearer token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks.
Additionally, the same bug affected the RefreshResource endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. RefreshResource sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server.
This vulnerability was identified by security researchers, and there are no known reports of exploitation in the wild.
References
- github.com/advisories/GHSA-w5wv-wvrp-v5m5
- github.com/akuity/kargo
- github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772
- github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7
- github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c
- github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5
- nvd.nist.gov/vuln/detail/CVE-2026-24748
Code Behaviors & Features
Detect and mitigate CVE-2026-24748 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →