CVE-2026-27111
published 2026-02-20CVE-2026-27111: Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard…
PriorityP429medium5CVSS 3.1
AVNACLPRLUINSCCNILAN
EPSS
0.18%
7.2th percentile
Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to separate the ability to manage promotion-related resources from the ability to trigger promotions, enabling fine-grained access control over what is often a sensitive operation. The promote verb is correctly enforced in Kargo's legacy gRPC API. However, three endpoints in the newer REST API omit this check, relying only on standard Kubernetes RBAC for the underlying resource operations (patch on freights/status or create on promotions). This permits users who hold those standard permissions -- but who were deliberately not granted promote -- to bypass the intended authorization boundary. The affected endpoints are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. This vulnerability is fixed in v1.9.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| akuity | kargo | — | — |
| akuity | kargo | >= 1.9.0 < 1.9.3 | 1.9.3 |
| github.com | akuity_kargo | >= 1.9.0 < 1.9.3 | 1.9.3 |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo
osv·2026-02-23
CVE-2026-27111 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo
OSV
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
osv·2026-02-19
CVE-2026-27111 [MEDIUM] Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
## Summary
Kargo's authorization model includes a `promote` verb -- a non-standard Kubernetes ["dolphin verb"](https://www.aquasec.com/blog/kubernetes-verbs/) -- that gates the ability to advance `Freight` through a promotion pipeline. This verb exists to separate the ability to _manage_ promotion-related resources from the ability to _trigger_ promotions, enabling fine-grained access control over what is often a sensitive operation.
The `promote` verb is correctly enforced in Kargo's legacy gRPC API. However, three endpoints in the newer REST API omit this check, relying only on standard Kubernetes RBAC for the underlying resource operations (`patch` on `freights/status` or `create` on `promotion
GHSA
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
ghsa·2026-02-19
CVE-2026-27111 [MEDIUM] CWE-862 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
## Summary
Kargo's authorization model includes a `promote` verb -- a non-standard Kubernetes ["dolphin verb"](https://www.aquasec.com/blog/kubernetes-verbs/) -- that gates the ability to advance `Freight` through a promotion pipeline. This verb exists to separate the ability to _manage_ promotion-related resources from the ability to _trigger_ promotions, enabling fine-grained access control over what is often a sensitive operation.
The `promote` verb is correctly enforced in Kargo's legacy gRPC API. However, three endpoints in the newer REST API omit this check, relying only on standard Kubernetes RBAC for the underlying resource operations (`patch` on `freights/status` or `create` on `promotion
No detection rules found.
No public exploits indexed.
2026-02-20
Published