CVE-2026-27111
Received Received - Intake

Authorization Bypass in Kargo REST API Allows Promotion Escalation

Vulnerability report for CVE-2026-27111, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-20

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description

Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to separate the ability to manage promotion-related resources from the ability to trigger promotions, enabling fine-grained access control over what is often a sensitive operation. The promote verb is correctly enforced in Kargo's legacy gRPC API. However, three endpoints in the newer REST API omit this check, relying only on standard Kubernetes RBAC for the underlying resource operations (patch on freights/status or create on promotions). This permits users who hold those standard permissions -- but who were deliberately not granted promote -- to bypass the intended authorization boundary. The affected endpoints are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. This vulnerability is fixed in v1.9.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-20
Last Modified
2026-02-25
Generated
2026-07-06
AI Q&A
2026-02-21
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
akuity kargo From 1.9.0 (inc) to 1.9.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Kargo versions 1.9.0 to 1.9.2 and involves the authorization model for promoting software artifacts. Kargo uses a special 'promote' verb to control who can advance Freight through a promotion pipeline, which is a sensitive operation. While this promote verb is properly enforced in the legacy gRPC API, three endpoints in the newer REST API fail to enforce this check. Instead, they rely only on standard Kubernetes RBAC permissions, which allows users who have standard permissions but were not granted the promote verb to bypass the intended authorization controls and perform promotion actions they should not be allowed to.

  • The affected REST API endpoints are: /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream.

This issue was fixed in Kargo version 1.9.3.

Impact Analysis

This vulnerability can allow users who do not have explicit permission to promote software artifacts to bypass authorization controls and perform promotion actions. This could lead to unauthorized advancement of software through the promotion pipeline, potentially resulting in unapproved or malicious software being deployed or released.

Such unauthorized promotions can undermine the integrity of the software delivery process, increase the risk of introducing vulnerabilities or unstable code into production environments, and compromise the overall security posture of the organization.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Kargo to version 1.9.3 or later, where the authorization checks for the promote verb in the REST API endpoints have been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart