CVE-2026-32828
SSRF in Kargo Promotion Steps Enables Cloud Metadata Exposure
Publication date: 2026-03-20
Last updated on: 2026-04-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| akuity | kargo | From 1.4.0 (inc) to 1.6.4 (exc) |
| akuity | kargo | From 1.7.0 (inc) to 1.7.9 (exc) |
| akuity | kargo | From 1.8.0 (inc) to 1.8.12 (exc) |
| akuity | kargo | From 1.9.0 (inc) to 1.9.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32828 is a Server-Side Request Forgery (SSRF) vulnerability in the Kargo software, specifically in its http and http-download promotion steps. These steps allow the Kargo controller to make outbound HTTP requests without properly restricting the destination addresses, enabling attackers to target link-local IP addresses such as the cloud instance metadata endpoint (169.254.169.254).
An authenticated attacker with permissions to create or update Stages or craft Promotion resources can exploit this by submitting malicious promotion manifests that cause the Kargo controller to send requests to internal metadata services. Because the http step allows full control over HTTP headers and methods, typical cloud provider SSRF protections are bypassed.
The vulnerability enables exfiltration of sensitive data like IAM credentials from the cloud metadata endpoint. The issue has been fixed by implementing a safe HTTP transport layer that blocks requests to link-local IP addresses, preventing SSRF attacks targeting these internal endpoints.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can allow an authenticated attacker with elevated permissions in Kargo to exfiltrate sensitive data such as IAM credentials from cloud instance metadata endpoints by exploiting SSRF.'}, {'type': 'paragraph', 'content': 'The attacker can embed malicious HTTP requests in promotion templates or Promotion resources, which the Kargo controller executes internally, potentially leaking sensitive metadata.'}, {'type': 'paragraph', 'content': "While the vulnerability does not impact Kargo's own confidentiality, integrity, or availability, it poses a risk to the confidentiality of subsequent systems by exposing sensitive cloud credentials."}, {'type': 'paragraph', 'content': 'Exploitation requires high privileges (authenticated user with create/update Stage or promote permissions), which are not broadly granted by default and are auditable.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-32828, upgrade Kargo to one of the patched versions: 1.6.4, 1.7.9, 1.8.12, or 1.9.5.
The fix involves using a safe HTTP transport layer that blocks outbound HTTP requests to link-local IP addresses, including the cloud instance metadata endpoint (169.254.169.254). This prevents Server-Side Request Forgery (SSRF) attacks targeting these sensitive endpoints.
Ensure that only trusted users have permissions to create or update Stages or craft Promotion resources, as exploitation requires authenticated users with elevated privileges.
Additionally, implement network policies or firewall rules to restrict access to link-local IP ranges from the Kargo controller or related components, if possible.