CVE-2026-27111
Received Received - Intake
Authorization Bypass in Kargo REST API Allows Promotion Escalation

Publication date: 2026-02-20

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to separate the ability to manage promotion-related resources from the ability to trigger promotions, enabling fine-grained access control over what is often a sensitive operation. The promote verb is correctly enforced in Kargo's legacy gRPC API. However, three endpoints in the newer REST API omit this check, relying only on standard Kubernetes RBAC for the underlying resource operations (patch on freights/status or create on promotions). This permits users who hold those standard permissions -- but who were deliberately not granted promote -- to bypass the intended authorization boundary. The affected endpoints are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. This vulnerability is fixed in v1.9.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27111
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
akuity kargo From 1.9.0 (inc) to 1.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Kargo versions 1.9.0 to 1.9.2 and involves the authorization model for promoting software artifacts. Kargo uses a special 'promote' verb to control who can advance Freight through a promotion pipeline, which is a sensitive operation. While this promote verb is properly enforced in the legacy gRPC API, three endpoints in the newer REST API fail to enforce this check. Instead, they rely only on standard Kubernetes RBAC permissions, which allows users who have standard permissions but were not granted the promote verb to bypass the intended authorization controls and perform promotion actions they should not be allowed to.

  • The affected REST API endpoints are: /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream.

This issue was fixed in Kargo version 1.9.3.

Impact Analysis

This vulnerability can allow users who do not have explicit permission to promote software artifacts to bypass authorization controls and perform promotion actions. This could lead to unauthorized advancement of software through the promotion pipeline, potentially resulting in unapproved or malicious software being deployed or released.

Such unauthorized promotions can undermine the integrity of the software delivery process, increase the risk of introducing vulnerabilities or unstable code into production environments, and compromise the overall security posture of the organization.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Kargo to version 1.9.3 or later, where the authorization checks for the promote verb in the REST API endpoints have been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart