The vulnerability CVE-2026-24748 in akuity's Kargo software arises from incorrect authorization checks on two API endpoints: GetConfig() and RefreshResource. In affected versions prior to 1.8.7, 1.7.7, and 1.6.3, the GetConfig() endpoint improperly validates the Authorization header, allowing any non-empty Bearer token to bypass authentication. This flaw enables unauthenticated attackers to retrieve sensitive configuration data, such as endpoints for connected Argo CD clusters. Such data disclosure can be leveraged to enumerate cluster URLs and namespaces, facilitating targeted attacks on Kubernetes clusters managed via Kargo. The RefreshResource endpoint suffers from a similar authorization bypass, permitting unauthenticated users to trigger Kubernetes resource reconciliations by setting annotations. While this does not disclose information, it can be exploited to launch denial-of-service style attacks by repeatedly invoking this endpoint, causing performance degradation of the Kubernetes API server and slowing legitimate requests. The vulnerability does not require privileges or user interaction, increasing its risk profile. The issue has been addressed in Kargo versions 1.8.7, 1.7.7, and 1.6.3, with no available workarounds. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L) reflects network attack vector, low attack complexity, no privileges or user interaction required, limited confidentiality and availability impact, and scope limited to the vulnerable component.

For European organizations deploying akuity Kargo in their software artifact promotion and Kubernetes cluster management workflows, this vulnerability poses significant risks. Confidentiality is impacted through unauthorized disclosure of configuration data, which can reveal infrastructure details such as Argo CD cluster endpoints and namespaces. This information leakage can enable attackers to plan and execute further targeted attacks against Kubernetes clusters, potentially leading to lateral movement or privilege escalation. The availability impact arises from the ability to perform denial-of-service style attacks via the RefreshResource endpoint, which can degrade Kubernetes API server responsiveness and disrupt cluster operations. Organizations relying on Kargo for continuous deployment pipelines or cluster management may experience operational disruptions, impacting service delivery and business continuity. Given the lack of required authentication and user interaction, exploitation can be automated and widespread if vulnerable versions remain in use. The medium CVSS score reflects a moderate but actionable threat, especially in environments with critical Kubernetes infrastructure. Failure to patch could expose European enterprises to data exfiltration and service degradation, undermining security and compliance postures.

The primary mitigation is to upgrade akuity Kargo to versions 1.8.7, 1.7.7, or 1.6.3 or later, where the authorization checks on GetConfig() and RefreshResource endpoints have been corrected. Since no workarounds exist, patching is imperative. Organizations should audit their deployment environments to identify Kargo versions in use and prioritize updates accordingly. Additionally, implement network-level controls such as restricting access to the Kargo API endpoints to trusted internal networks or VPNs to reduce exposure. Employ Kubernetes API server rate limiting and monitoring to detect abnormal reconciliation requests that may indicate exploitation attempts. Integrate logging and alerting on Kargo API access patterns to identify unauthorized or anomalous activity. Conduct a review of Argo CD cluster configurations and namespaces exposed to ensure minimal exposure and enforce least privilege principles. Finally, incorporate this vulnerability into incident response plans and threat hunting activities to rapidly detect and respond to potential exploitation.