Palantir Gotham Glutton V1 Service Authentication Bypass Vulnerability Allowing Unauthorized Data Access

Vulnerability

A vulnerability exists in the Glutton V1 service on Palantir Gotham stacks, where multiple endpoints were exposed without authentication or authorization. This flaw could have allowed users without the necessary permissions to directly access the Glutton backend and read, update, or delete data. The issue arose from a software bug during an infrastructure migration, which inadvertently allowed some code checks to pass without valid authentication. However, Palantir's Web Application Firewall would have blocked requests lacking a valid Authorization Header. The affected service has been patched and automatically deployed to all Apollo-managed Gotham instances.

Impact

Exploitation of this vulnerability could have led to unauthorized access and manipulation of data through the Glutton V1 service endpoints.

Added: Dec 19, 2025, 5:29 PM

Updated: Dec 19, 2025, 6:12 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.9

exploitability

7.4

remediation

0.0

relevance

1.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.9

exploitability

7.4

remediation

0.0

relevance

1.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Palantir Gotham Glutton V1 Service Authentication Bypass Vulnerability Allowing Unauthorized Data Access

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating