Auth bypass in Akuity Kargo

CVE-2026-24748

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this end…

Vulnerability class: Broken Access Control

EPSS: 0.001 (30.5th percentile) — read the EPSS interpretation.

Affected products

Akuity Kargo — versions < 1.6.3, >= 1.7.0, < 1.7.7, <= 1.8.0, < 1.8.7

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5 (x_refsource_CONFIRM)
https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772 (x_refsource_MISC)
https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7 (x_refsource_MISC)
https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c (x_refsource_MISC)