Akuity Kargo is a tool that manages and automates software artifact promotion pipelines. From versions 1.9.0 through 1.9.2, Kargo implements a custom authorization model that includes a non-standard Kubernetes verb called 'promote'. This verb is designed to separate the ability to manage promotion-related resources from the ability to actually trigger promotions, enabling fine-grained access control over a sensitive operation. While the legacy gRPC API correctly enforces this promote verb, three endpoints in the newer REST API do not enforce it. Instead, these endpoints rely solely on standard Kubernetes RBAC permissions for patching freight status or creating promotions. The endpoints affected are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. Because these endpoints omit the promote verb check, users who have standard permissions to patch or create but were deliberately not granted promote permissions can bypass the intended authorization boundary and trigger promotions they should not be authorized to perform. This represents a missing authorization vulnerability classified as CWE-862. The vulnerability was assigned CVE-2026-27111 and has a CVSS 4.0 base score of 5.3 (medium severity). The vulnerability was publicly disclosed on February 20, 2026, and fixed in Kargo version 1.9.3.

This vulnerability allows unauthorized users who have limited Kubernetes RBAC permissions to bypass intended access controls and trigger software artifact promotions. Since promotion pipelines often gate the release of software to production or downstream environments, unauthorized promotion can lead to premature or unapproved deployment of software artifacts. This can result in the introduction of unvetted code, potential service disruptions, or the deployment of malicious or unstable software. Organizations relying on Kargo for their CI/CD or release automation pipelines may face integrity risks to their software supply chain. The impact is primarily on integrity and potentially availability if improper promotions cause failures. Confidentiality impact is minimal. Because exploitation requires some level of privileges (patch or create on certain resources), the risk is limited to users with those permissions, but the bypass of the promote verb reduces the granularity of access control and increases the attack surface. No user interaction is required, and the vulnerability is remotely exploitable over the network. No known exploits are reported in the wild yet, but the vulnerability could be leveraged by insiders or compromised accounts to escalate promotion privileges.

Upgrade Akuity Kargo to version 1.9.3 or later, where the missing authorization checks on the REST API endpoints are fixed. Until upgrade is possible, organizations should audit and restrict Kubernetes RBAC permissions carefully, ensuring that only fully trusted users have patch or create permissions on freight status and promotion resources. Implement monitoring and alerting on promotion-related API calls to detect unauthorized promotion attempts. Consider isolating promotion operations to dedicated service accounts with minimal privileges. Review and tighten access control policies around promotion pipelines and artifact management. Conduct regular security reviews of CI/CD pipeline permissions and logs. If feasible, disable or restrict access to the affected REST API endpoints until patched. Employ network segmentation and zero trust principles to limit exposure of Kargo management interfaces. Finally, educate developers and operators about the importance of the promote verb and the risks of bypassing it.