Description
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.
Published: 2026-01-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Kargo exposes the GetConfig() API endpoint without proper authentication checks, allowing any user who provides a non‑empty Bearer token to retrieve configuration data such as Argo CD cluster endpoints. Adversaries can use this information to enumerate cluster URLs and namespaces, potentially enabling further attacks. The same flaw applies to the RefreshResource endpoint; while it does not reveal data, an unauthenticated attacker could invoke it repeatedly to trigger reconciliations, creating a denial‑of‑service effect by overloading the Kubernetes API server.

Affected Systems

Akuity Kargo deployments are vulnerable if they run any version older than 1.8.7, 1.7.7, or 1.6.3. These releases lack the necessary authentication guard on the GetConfig() and RefreshResource APIs. Upgrading to the patched versions removes the flaw.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating moderate severity. The EPSS score is less than 1%, suggesting low current exploitation probability, and the flaw is not listed in the CISA KEV catalog. Exploitation requires only network access to the Kargo API and the provision of any non‑empty Bearer token, meaning the attack vector is external API access and does not require privileged credentials.

Generated by OpenCVE AI on April 18, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kargo to version 1.8.7 or later (or the equivalent fixed release in previous major versions).
  • Limit access to the Kargo API to known, trusted IP addresses or network segments.
  • Enable rate limiting or request throttling for the RefreshResource endpoint to mitigate denial‑of‑service attempts.

Generated by OpenCVE AI on April 18, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w5wv-wvrp-v5m5 Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access
History

Wed, 25 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L'}

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Akuity
Akuity kargo
Vendors & Products Akuity
Akuity kargo

Tue, 27 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.
Title Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L'}

Subscriptions

Akuity Kargo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T21:15:14.453Z

Reserved: 2026-01-26T19:06:16.060Z

Link: CVE-2026-24748

cve-icon Vulnrichment

Updated: 2026-01-28T21:15:11.640Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T22:15:56.630

Modified: 2026-02-25T17:59:22.477

Link: CVE-2026-24748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses