Auth bypass in Akuity Kargo

CVE-2026-27112

Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads…

Vulnerability class: Broken Access Control

EPSS: 0.003 (51.1th percentile) — read the EPSS interpretation.

Affected products

Akuity Kargo — versions >= 1.9.0-rc.1, < 1.9.3, >= 1.8.0-rc.1, < 1.8.11, >= 1.7.0, < 1.7.8

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/akuity/kargo/security/advisories/GHSA-7g9x-cp9g-92mr (x_refsource_CONFIRM)
https://github.com/akuity/kargo/commit/155c6852ffbffa2902f18e6c7add91a846e8d344 (x_refsource_MISC)