Components
Vulnerabilities
Pricing
MCP
API
Docs
Sign up
Login
github.com/akuity/kargo v0.3.2 | Vulnerabi… | Sonatype Guide
golang
github.com/akuity/kargo
v0.3.2
github.com/akuity/kargo v0.3.2
Published
Jan 25, 2024
•
Policy
compliance
golang Registry
Developer Trust Score
N/A
Recommended Version:
x.y.z
Latest version with 0 known vulnerabilities that meets your policy.
Compare Versions
Overview
Overview
Versions
191
Versions
191
Vulnerabilities
1
Vulnerabilities
1
Dependencies
0
Dependencies
0
Reset filters
Severity
Critical
(0)
High
(1)
Medium
(0)
Low
(0)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
7.2
CVE-2026-24748
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.
affected
Severity
High
Published
Jan 28, 2026
