Description
Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to separate the ability to manage promotion-related resources from the ability to trigger promotions, enabling fine-grained access control over what is often a sensitive operation. The promote verb is correctly enforced in Kargo's legacy gRPC API. However, three endpoints in the newer REST API omit this check, relying only on standard Kubernetes RBAC for the underlying resource operations (patch on freights/status or create on promotions). This permits users who hold those standard permissions -- but who were deliberately not granted promote -- to bypass the intended authorization boundary. The affected endpoints are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. This vulnerability is fixed in v1.9.3.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

Kargo’s REST API contains three endpoints—/v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream—that omit enforcement of the custom ‘promote’ authorization verb. This omission allows users who have standard Kubernetes RBAC rights to patch freight status or create promotions to advance Freight objects through promotion pipelines without having explicit promotion rights. The result is an unauthorized elevation of privilege that can compromise the integrity of deployment workflows. This weakness is identified as CWE‑862, Missing Authorization.

Affected Systems

Affected versions are Kargo v1.9.0 through v1.9.2. The vulnerability applies to all deployments of the Kargo product from the Akuity vendor, including environments that rely on the default REST API. The issue was addressed in Kargo v1.9.3.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, primarily due to the privilege escalation potential. The EPSS score is below 1%, implying a low likelihood of widespread exploitation at the time of assessment. Kargo is not listed in the CISA KEV catalog, and no public exploits have been reported. Exploitation requires access to the REST API with typical RBAC permissions, which could be available to cluster users or service accounts. If such access exists, an attacker can expose approval or promotion functionality without the intended authorization check.

Generated by OpenCVE AI on April 17, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Kargo v1.9.3 release or later to restore proper promote verb enforcement.
  • Restrict Kubernetes RBAC permissions for patching freight status and creating promotions to only users who have the promote verb privilege.
  • Audit the REST API endpoints for missing authorization checks and enforce RBAC policies across all services.

Generated by OpenCVE AI on April 17, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5vvm-67pj-72g4 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
History

Wed, 25 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*
Metrics cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Wed, 25 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Akuity
Akuity kargo
Vendors & Products Akuity
Akuity kargo

Fri, 20 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to separate the ability to manage promotion-related resources from the ability to trigger promotions, enabling fine-grained access control over what is often a sensitive operation. The promote verb is correctly enforced in Kargo's legacy gRPC API. However, three endpoints in the newer REST API omit this check, relying only on standard Kubernetes RBAC for the underlying resource operations (patch on freights/status or create on promotions). This permits users who hold those standard permissions -- but who were deliberately not granted promote -- to bypass the intended authorization boundary. The affected endpoints are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. This vulnerability is fixed in v1.9.3.
Title Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Akuity Kargo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:46:03.564Z

Reserved: 2026-02-17T18:42:27.042Z

Link: CVE-2026-27111

cve-icon Vulnrichment

Updated: 2026-02-24T18:45:56.256Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T22:16:29.187

Modified: 2026-02-25T18:01:51.917

Link: CVE-2026-27111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses