CVE-2026-27112

EPSS 0.21%
Veröffentlicht 20.02.2026 21:22:56
Zuletzt bearbeitet 25.02.2026 18:03:32
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can manifest a bug present in the logic of both endpoints to inject arbitrary resources (of specific types only) into the underlying namespace of an existing Project using the API server's own permissions when that behavior was not intended. Critically, an attacker may exploit this as a vector for elevating their own permissions, which can then be leveraged to achieve remote code execution or secret exfiltration. Exfiltrated artifact repository credentials can be leveraged, in turn, to execute further attacks. In some configurations of the Kargo control plane's underlying Kubernetes cluster, elevated permissions may additionally be leveraged to achieve remote code execution or secret exfiltration using kubectl. This can reduce the complexity of the attack, however, worst case scenarios remain entirely achievable even without this. This vulnerability is fixed in v1.7.8, v1.8.11, and v1.9.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Akuity ≫ Kargo SwPlatformkubernetes Version >= 1.7.0 < 1.7.8

Akuity ≫ Kargo SwPlatformkubernetes Version >= 1.8.0 < 1.8.11

Akuity ≫ Kargo SwPlatformkubernetes Version >= 1.9.0 < 1.9.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.425

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	9.4	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/akuity/kargo/security/advisories/GHSA-7g9x-cp9g-92mr

Vendor Advisory

https://github.com/akuity/kargo/commit/155c6852ffbffa2902f18e6c7add91a846e8d344

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-27112

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27112

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27112

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27112