Palantir Gotham
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Palantir Gotham.
By the Year
In 2026 there have been 1 vulnerability in Palantir Gotham with an average score of 3.5 out of ten. Last year, in 2025 Gotham had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Gotham in 2026 could surpass last years number. Last year, the average CVE base score was greater by 5.60
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 3.50 |
| 2025 | 1 | 9.10 |
| 2024 | 0 | 0.00 |
| 2023 | 4 | 6.60 |
It may take a day or so for new Gotham vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Palantir Gotham Security Vulnerabilities
Palantir Dossier Image Upload Security Level Misassignment in CBACDisabled Deployments
CVE-2025-62487
3.5 - Low
- January 09, 2026
On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among different artifacts (e.g. other dossiers and presentations). On deployments configured with CBAC, the front-end would present a security picker dialog to set the security level on the uploads, thereby mitigating the issue. On deployments without a CBAC configuration, no security picker dialog appears, leading to a security level of CUSTOM with no markings or datasets selected. The resulting markings and groups for the file uploads thus will be only those added by the default authorization rules defined in the Auth Chooser configuration. On most environments, it is expected that the default authorization rules only add the Everyone group.
AuthZ
Unauthenticated Glutton V1 endpoints on Gotham stacks
CVE-2024-49587
9.1 - Critical
- December 19, 2025
Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gotham Instances
Authentication Bypass by Primary Weakness
Palantir Gotham Frontend Classification Bug
CVE-2023-30961
6.1 - Medium
- September 27, 2023
Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link.
Clickjacking
Palantir Gotham <3.22.11.2 Unauth Zip Memory Exhaustion
CVE-2022-27897
7.5 - High
- February 16, 2023
Palantir Gotham versions prior to 3.22.11.2 included an unauthenticated endpoint that would load portions of maliciously crafted zip files to memory. An attacker could repeatedly upload a malicious zip file, which would allow them to exhaust memory resources on the dispatch server.
Improper Input Validation
Gotham <3.22.11.2: unauthenticated memory exhaustion via dispatch service
CVE-2022-27892
7.5 - High
- February 16, 2023
Palantir Gotham versions prior to 3.22.11.2 included an unauthenticated endpoint that would have allowed an attacker to exhaust the memory of the Gotham dispatch service.
Improper Input Validation
Unauth Enumeration in Palantir Gotham <103.30221005.0
CVE-2022-27891
5.3 - Medium
- February 16, 2023
Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is highly recommended that customers upgrade all affected services to the latest version. This issue affects: Palantir Gotham versions prior to 103.30221005.0.
Missing Authentication for Critical Function
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Palantir Gotham or by Palantir? Click the Watch button to subscribe.
