CVE-2026-27111
📋 TL;DR
Kargo versions 1.9.0 to 1.9.2 have an authorization bypass vulnerability where three REST API endpoints omit the 'promote' verb check. This allows users with standard Kubernetes RBAC permissions to trigger promotions even if they were deliberately denied this sensitive operation. Organizations using affected Kargo versions for software artifact promotion are impacted.
💻 Affected Systems
- Kargo
📦 What is this software?
Kargo by Akuity
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could promote untested or malicious artifacts through production pipelines, potentially deploying vulnerable or malicious code to production environments.
Likely Case
Users with standard Kubernetes permissions but without explicit promote permissions could bypass intended access controls and trigger promotions they shouldn't be authorized for.
If Mitigated
With proper network segmentation and minimal RBAC permissions, impact would be limited to authorized users who already have some level of access.
🎯 Exploit Status
Exploitation requires authenticated access with standard Kubernetes RBAC permissions for the underlying resources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.9.3
Vendor Advisory: https://github.com/akuity/kargo/security/advisories/GHSA-5vvm-67pj-72g4
Restart Required: Yes
Instructions:
1. Backup current Kargo configuration. 2. Upgrade Kargo to version 1.9.3 or later. 3. Restart Kargo components. 4. Verify the fix by testing authorization on affected endpoints.
🔧 Temporary Workarounds
Disable REST API endpoints
allTemporarily disable the three vulnerable REST API endpoints until patching is possible.
# Configure Kargo to disable affected endpoints or restrict access via network policies
Restrict RBAC permissions
linuxTighten Kubernetes RBAC to remove patch/create permissions on freights/status and promotions from users who shouldn't have promote access.
kubectl edit rolebinding -n kargo-system
# Remove patch/create permissions from unauthorized users
🧯 If You Can't Patch
- Implement network policies to restrict access to Kargo REST API endpoints to only authorized users/services
- Audit and minimize RBAC permissions for all users, ensuring no one has both standard permissions and is denied promote verb
🔍 How to Verify
Check if Vulnerable:
Check Kargo version: kubectl get deployment -n kargo-system kargo-controller -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o 'v1\.9\.[0-2]'Check Version:
kubectl get deployment -n kargo-system kargo-controller -o jsonpath='{.spec.template.spec.containers[0].image}'Verify Fix Applied:
After upgrade, test that users without promote permissions cannot access /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream endpoints📡 Detection & Monitoring
Log Indicators:
- Unauthorized promotion attempts via REST API
- Successful promotions from users without promote permissions
- Access to /v1beta1/projects/*/freight/*/approve or /v1beta1/projects/*/stages/*/promotions* endpoints
Network Indicators:
- HTTP requests to vulnerable endpoints from unauthorized sources
SIEM Query:
source="kargo" AND (path="/v1beta1/projects/*/freight/*/approve" OR path="/v1beta1/projects/*/stages/*/promotions*") AND user NOT IN authorized_promote_users