Vendor
OpenCost contains an unauthenticated file write vulnerability, tracked as GHSA-wmj8-9953-vff5, in its `/serviceKey` endpoint that allows remote attackers to overwrite the GCP service account key file (`key.json`) without any authentication or input validation, leading to service disruption, credential theft, and potential privilege escalation within Kubernetes clusters or GCP environments.