Approved changes feed: RSS · Atom

cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*

part: a version: * update: *

VendorAkuity (48432c36-e2b3-5566-ba23-540460c1d6cb)
ProductKargo (94a86a67-f98b-5718-8280-f4076c6efdca)
Edition*
Language*
Software edition*
Target softwarekubernetes
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/akuity/kargo purl2cpe 2026-06-01 10:12:41.247257
pkg:golang/github.com/akuity/kargo purl2cpe 2026-06-01 10:12:41.247259

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-32828 vulnerable 2026-06-08 07:57:18.174378 Kargo: SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration
Kargo manages and automates the promotion of software artifacts. In versions 1.4.0 through 1.6.3, 1.7.0-rc.1 through 1.7.8, 1.8.0-rc.1 through 1.8.11, and 1.9.0-rc.1 through 1.9.4, the http and http-download promotion steps allow Server-Side Request Forgery (SSRF) against link-local addresses, most critically the cloud instance metadata endpoint (169.254.169.254), enabling exfiltration of sensitive data such as IAM credentials. These steps provide full control over request headers and methods, rendering cloud provider header-based SSRF mitigations ineffective. An authenticated attacker with permissions to create/update Stages or craft Promotion resources can exploit this by submitting a malicious Promotion manifest, with response data retrievable via Promotion status fields, Git repositories, or a second http step. This issue has been fixed in versions 1.6.4, 1.7.9, 1.8.12 and 1.9.5.
Published: 2026-03-20T00:39:25.548Z
Updated: 2026-03-25T14:38:54.598Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-27112 vulnerable 2026-06-08 07:53:21.929349 Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints
Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can manifest a bug present in the logic of both endpoints to inject arbitrary resources (of specific types only) into the underlying namespace of an existing Project using the API server's own permissions when that behavior was not intended. Critically, an attacker may exploit this as a vector for elevating their own permissions, which can then be leveraged to achieve remote code execution or secret exfiltration. Exfiltrated artifact repository credentials can be leveraged, in turn, to execute further attacks. In some configurations of the Kargo control plane's underlying Kubernetes cluster, elevated permissions may additionally be leveraged to achieve remote code execution or secret exfiltration using kubectl. This can reduce the complexity of the attack, however, worst case scenarios remain entirely achievable even without this. This vulnerability is fixed in v1.7.8, v1.8.11, and v1.9.3.
Published: 2026-02-20T21:22:56.719Z
Updated: 2026-02-24T18:43:40.423Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-27111 vulnerable 2026-06-08 07:53:21.928717 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to separate the ability to manage promotion-related resources from the ability to trigger promotions, enabling fine-grained access control over what is often a sensitive operation. The promote verb is correctly enforced in Kargo's legacy gRPC API. However, three endpoints in the newer REST API omit this check, relying only on standard Kubernetes RBAC for the underlying resource operations (patch on freights/status or create on promotions). This permits users who hold those standard permissions -- but who were deliberately not granted promote -- to bypass the intended authorization boundary. The affected endpoints are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. This vulnerability is fixed in v1.9.3.
Published: 2026-02-20T21:17:07.383Z
Updated: 2026-02-24T18:46:03.564Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-24748 vulnerable 2026-06-08 07:51:18.113242 Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue.
Published: 2026-01-27T21:23:53.890Z
Updated: 2026-01-28T21:15:14.453Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.