Description
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2.
Published: 2026-05-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kargo allows attackers to supply a misleading redirectTo query parameter in the UI OIDC login flow. The parameter is not validated, enabling an attacker to transfer the user to an arbitrary URL after authentication. This flaw can be leveraged for phishing or other malicious landing pages, potentially leading to credential theft or malware delivery. The issue is a classic open redirect weakness (CWE‑601).

Affected Systems

The vulnerability affects Akuity Kargo versions prior to 1.7.10, 1.8.13, 1.9.8, and 1.10.2. All earlier releases contain an unvalidated redirectTo parameter in the login endpoint. Upgrading to the specified patched releases resolves the issue.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium impact level. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a login URL containing a malicious redirectTo value; no special privileges or credential compromise are required to trigger the redirect. Given the ease of constructing such a URL, the risk to users remains moderate but should be addressed promptly.

Generated by OpenCVE AI on May 8, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kargo to version 1.7.10, 1.8.13, 1.9.8, or 1.10.2 or later to receive the fix for the redirectTo validation.
  • If an upgrade is not possible, restrict the redirectTo parameter to a whitelist of trusted domains or disable the parameter entirely in the authentication flow.
  • Validate the redirectTo input on the server side, ensuring it points to a legitimate internal URL before performing the redirect.

Generated by OpenCVE AI on May 8, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Akuity
Akuity kargo
Vendors & Products Akuity
Akuity kargo

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2.
Title Kargo: Open Redirect in UI OIDC Login Flow via redirectTo Query Parameter
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Akuity Kargo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:35:30.155Z

Reserved: 2026-04-26T13:26:14.515Z

Link: CVE-2026-42350

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:38.040

Modified: 2026-05-08T23:16:38.040

Link: CVE-2026-42350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses