{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-06T10:06:42.251","vulnerabilities":[{"cve":{"id":"CVE-2026-24748","sourceIdentifier":"security-advisories@github.com","published":"2026-01-27T22:15:56.630","lastModified":"2026-02-25T17:59:22.477","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity.  This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue."},{"lang":"es","value":"Kargo gestiona y automatiza la promoción de artefactos de software. Antes de las versiones 1.8.7, 1.7.7 y 1.6.3, se encontró un error con las comprobaciones de autenticación en el endpoint de la API 'GetConfig()'. Esto permitía a usuarios no autenticados acceder a este endpoint especificando una cabecera 'Authorization' con cualquier valor de token 'Bearer' no vacío, independientemente de su validez. Esta vulnerabilidad permitía la exfiltración de datos de configuración, como endpoints para clústeres de Argo CD conectados. Estos datos podrían permitir a un atacante enumerar URLs de clúster y espacios de nombres para su uso en ataques posteriores. Además, el mismo error afectaba al endpoint 'RefreshResource'. Este endpoint no conduce a ninguna revelación de información, pero podría ser utilizado por un atacante no autenticado para realizar un ataque de estilo denegación de servicio contra la API de Kargo. 'RefreshResource' establece una anotación en recursos específicos de Kubernetes para activar reconciliaciones. Si se ejecuta en un bucle constante, esto también podría ralentizar las solicitudes legítimas al servidor de la API de Kubernetes. Este problema ha sido parcheado en las versiones de Kargo 1.8.7, 1.7.7 y 1.6.3. No hay soluciones alternativas para este problema."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*","versionEndExcluding":"1.6.3","matchCriteriaId":"E523C042-4A9D-4F89-8D9D-AAA82F28239C"},{"vulnerable":true,"criteria":"cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*","versionStartIncluding":"1.7.0","versionEndExcluding":"1.7.7","matchCriteriaId":"199BD7B6-D9D9-4E14-A47F-54E8EDA91D42"},{"vulnerable":true,"criteria":"cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*","versionStartIncluding":"1.8.0","versionEndExcluding":"1.8.7","matchCriteriaId":"87AFF1D2-3872-463C-BA4C-D6C31C3B9EBC"}]}]}],"references":[{"url":"https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}