Akuity kargo is a tool that manages and automates the promotion of software artifacts through defined pipelines. From versions 1.9.0 to 1.9.2, kargo implements a custom authorization model that includes a non-standard Kubernetes verb called 'promote'. This verb is designed to separate the ability to manage promotion-related resources from the ability to trigger promotions, enabling fine-grained access control over sensitive promotion operations. While the legacy gRPC API correctly enforces the 'promote' verb authorization, three REST API endpoints—/v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream—fail to enforce this check. Instead, they rely solely on standard Kubernetes RBAC permissions such as patch on freights/status or create on promotions. This omission allows users who have these standard permissions but were not granted the 'promote' verb to bypass the intended authorization boundary and advance software artifacts through the promotion pipeline without proper authorization. This vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS 4.0 base score of 5.3, indicating medium severity. The vulnerability does not require user interaction and can be exploited remotely with low privileges. The issue is resolved in kargo version 1.9.3, where the REST API endpoints properly enforce the 'promote' verb authorization. No known exploits have been reported in the wild as of the publication date.

This vulnerability allows unauthorized users with limited Kubernetes RBAC permissions to bypass critical authorization controls and promote software artifacts through kargo's promotion pipeline. The impact includes potential compromise of software release integrity, as unauthorized promotions could introduce unvetted or malicious artifacts into production or downstream environments. This undermines the trustworthiness of the software delivery process and could lead to deployment of vulnerable or malicious code. Organizations relying on kargo for artifact promotion risk unauthorized changes to their release pipelines, which could result in operational disruptions, compliance violations, and increased attack surface. Since the promotion process is often a sensitive operation in CI/CD workflows, this flaw could be leveraged by insiders or attackers with limited access to escalate their privileges within the software delivery lifecycle. The medium CVSS score reflects the moderate impact and ease of exploitation without user interaction, but limited scope due to required Kubernetes permissions. However, the potential for supply chain compromise elevates the risk for organizations with critical software delivery pipelines using affected kargo versions.

Organizations should upgrade akuity kargo to version 1.9.3 or later, where the REST API endpoints correctly enforce the 'promote' verb authorization. Until upgrading, administrators should audit and tighten Kubernetes RBAC permissions to ensure that users without explicit 'promote' verb rights do not have patch or create permissions on freights/status or promotions resources. Implement strict role separation and least privilege principles around promotion-related resources. Monitor API access logs for suspicious promotion-related activities, especially calls to the affected REST endpoints. Consider implementing additional external authorization or admission controls to enforce promotion policies. Regularly review and update CI/CD pipeline security configurations to detect unauthorized promotion attempts. Engage in security testing of the promotion workflows to identify any other potential authorization gaps. Finally, maintain awareness of vendor advisories and apply patches promptly to reduce exposure.