CVE-2024-49587
Unauthenticated Access in Glutton V1 Service Exposes Data
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: Palantir Technologies
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| palantir | glutton | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability involves the Glutton V1 service endpoints being exposed without any authentication on Gotham stacks. This exposure allowed unauthorized users to directly access the Glutton backend and perform actions such as reading, updating, or deleting data without any permission.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data and unauthorized modification or deletion of data. It poses a high risk of data compromise and integrity loss, potentially affecting the confidentiality and reliability of your systems.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch that has been released for the affected Glutton V1 service endpoints and ensure it is deployed to all Apollo-managed Gotham Instances to prevent unauthorized access.