CVE-2026-27112

{"id": "CVE-2026-27112", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-20T22:16:29.343", "references": [{"url": "https://github.com/akuity/kargo/commit/155c6852ffbffa2902f18e6c7add91a846e8d344", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/akuity/kargo/security/advisories/GHSA-7g9x-cp9g-92mr", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can manifest a bug present in the logic of both endpoints to inject arbitrary resources (of specific types only) into the underlying namespace of an existing Project using the API server's own permissions when that behavior was not intended. Critically, an attacker may exploit this as a vector for elevating their own permissions, which can then be leveraged to achieve remote code execution or secret exfiltration. Exfiltrated artifact repository credentials can be leveraged, in turn, to execute further attacks. In some configurations of the Kargo control plane's underlying Kubernetes cluster, elevated permissions may additionally be leveraged to achieve remote code execution or secret exfiltration using kubectl. This can reduce the complexity of the attack, however, worst case scenarios remain entirely achievable even without this. This vulnerability is fixed in v1.7.8, v1.8.11, and v1.9.3."}, {"lang": "es", "value": "Kargo gestiona y automatiza la promoci\u00f3n de artefactos de software. Desde la 1.7.0 hasta antes de las v1.7.8, v1.8.11 y v1.9.3, los puntos finales de creaci\u00f3n de recursos por lotes tanto de la API gRPC heredada de Kargo como de la API REST m\u00e1s reciente aceptan cargas \u00fatiles YAML de m\u00faltiples documentos. Cargas \u00fatiles especialmente dise\u00f1adas pueden manifestar un error presente en la l\u00f3gica de ambos puntos finales para inyectar recursos arbitrarios (solo de tipos espec\u00edficos) en el espacio de nombres subyacente de un Proyecto existente utilizando los propios permisos del servidor API cuando ese comportamiento no estaba previsto. Cr\u00edticamente, un atacante puede explotar esto como un vector para elevar sus propios permisos, lo que luego puede aprovecharse para lograr la ejecuci\u00f3n remota de c\u00f3digo o la exfiltraci\u00f3n de secretos. Las credenciales de repositorio de artefactos exfiltradas pueden aprovecharse, a su vez, para ejecutar ataques adicionales. En algunas configuraciones del cl\u00faster de Kubernetes subyacente del plano de control de Kargo, los permisos elevados pueden aprovecharse adicionalmente para lograr la ejecuci\u00f3n remota de c\u00f3digo o la exfiltraci\u00f3n de secretos usando kubectl. Esto puede reducir la complejidad del ataque, sin embargo, los escenarios de peor caso siguen siendo totalmente alcanzables incluso sin esto. Esta vulnerabilidad est\u00e1 corregida en las v1.7.8, v1.8.11 y v1.9.3."}], "lastModified": "2026-02-25T18:03:32.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "5A5AF03C-6D09-45BD-9C5D-A26A58F2FF32", "versionEndExcluding": "1.7.8", "versionStartIncluding": "1.7.0"}, {"criteria": "cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "E8F9AD6D-0D73-48DE-BC30-52DA3E9539A9", "versionEndExcluding": "1.8.11", "versionStartIncluding": "1.8.0"}, {"criteria": "cpe:2.3:a:akuity:kargo:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "3B60DE85-B240-4BA0-896D-2A0BA369B0AF", "versionEndExcluding": "1.9.3", "versionStartIncluding": "1.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}