CVE-2026-24748

Name of the Vulnerable Software and Affected Versions Kargo versions prior to 1.8.7 Kargo versions prior to 1.7.7 Kargo versions prior to 1.6.3

Description Kargo is a tool for managing and automating the promotion of software artifacts. A flaw in authentication checks on the GetConfig() API endpoint and the RefreshResource endpoint allowed unauthenticated users to gain access. Specifically, providing any non-empty Bearer token value in the Authorization header bypassed authentication. Access to the GetConfig() endpoint could lead to the exposure of configuration data, including endpoints for connected Argo CD clusters, potentially enabling an attacker to enumerate cluster URLs and namespaces. The RefreshResource endpoint, when repeatedly accessed, could be exploited to launch a denial-of-service attack against the Kargo API by triggering excessive reconciliations on Kubernetes resources, potentially impacting the Kubernetes API server's performance. The Authorization header and the Bearer token are key components in this issue.

Recommendations Upgrade to Kargo version 1.8.7 or later. Upgrade to Kargo version 1.7.7 or later. Upgrade to Kargo version 1.6.3 or later.