Github.Com Akuity Kargo vulnerabilities
4 known vulnerabilities affecting github.com/akuity_kargo.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-27112P2CRITICAL≥ 1.9.0-rc.1, < 1.9.3≥ 1.8.0-rc.1, < 1.8.11+1 more2026-02-19
CVE-2026-27112 [CRITICAL] CWE-863 Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints
## Summary
The batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. When either endpoint creates a `Project` resource, creation of subsequent resources from that same payload belonging in that Project's underlying Kub
ghsaosv
CVE-2026-24748P3MEDIUM≥ 0, < 1.6.3≥ 1.7.0-rc.1, < 1.7.7+1 more2026-01-27
CVE-2026-24748 [MEDIUM] CWE-863 Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access
Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access
### Impact
A bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for ex
ghsaosv
CVE-2026-32828P4MEDIUM≥ 1.4.0, < 1.6.4≥ 1.7.0-rc.1, < 1.7.9+2 more2026-03-16
CVE-2026-32828 [MEDIUM] CWE-918 Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration
Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration
## Summary
Kargo's built-in `http` and `http-download` promotion steps execute outbound HTTP requests from the Kargo controller. By design, these steps do not restrict destination addresses, as there are legitimate use cases for req
ghsaosv
CVE-2026-27111P4MEDIUM≥ 1.9.0, < 1.9.32026-02-19
CVE-2026-27111 [MEDIUM] CWE-862 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
## Summary
Kargo's authorization model includes a `promote` verb -- a non-standard Kubernetes ["dolphin verb"](https://www.aquasec.com/blog/kubernetes-verbs/) -- that gates the ability to advance `Freight` through a promotion pipeline. This verb exists to separate the ability to _man
ghsaosv