CVE-2026-27112 is an incorrect authorization vulnerability (CWE-863) affecting akuity kargo, a software artifact promotion and automation tool. The flaw exists in the batch resource creation endpoints of both the legacy gRPC API and the newer REST API, which accept multi-document YAML payloads. Due to improper authorization checks, specially crafted payloads can inject arbitrary resources of specific types into the namespace of an existing Project. This injection occurs with the API server's permissions, which are typically elevated, allowing attackers to escalate their privileges beyond intended limits. Exploiting this vulnerability enables attackers to perform remote code execution or exfiltrate sensitive secrets such as artifact repository credentials. These credentials can then be used to conduct further attacks within the environment. Additionally, in some Kubernetes cluster configurations underlying the Kargo control plane, attackers with elevated permissions can leverage kubectl to simplify achieving remote code execution or secret exfiltration. The vulnerability affects versions from 1.7.0 up to but not including 1.7.8, 1.8.11, and 1.9.3, where it has been patched. The CVSS 4.0 score of 9.4 indicates a critical severity, with network attack vector, low attack complexity, no privileges required initially but some privileges needed for exploitation, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits are known at this time, but the potential for severe impact is significant given the elevated permissions and possible remote code execution.

The vulnerability poses a critical risk to organizations using affected versions of akuity kargo, especially those managing sensitive software artifact repositories and Kubernetes clusters. Exploitation can lead to unauthorized privilege escalation, enabling attackers to execute arbitrary code remotely and exfiltrate secrets such as repository credentials. This can compromise the integrity of software supply chains, leading to the distribution of malicious artifacts or unauthorized access to internal systems. The ability to leverage kubectl in certain Kubernetes configurations further amplifies the risk by simplifying lateral movement and control over cluster resources. Organizations may face severe operational disruptions, data breaches, and potential compliance violations. The widespread use of Kubernetes and artifact management tools in cloud-native environments increases the scope and potential impact of this vulnerability globally.

Organizations should immediately upgrade akuity kargo to versions 1.7.8, 1.8.11, or 1.9.3 or later to apply the official patches. Until upgrades are possible, restrict access to the batch resource creation endpoints by implementing strict network segmentation and API access controls. Employ Kubernetes Role-Based Access Control (RBAC) policies to minimize permissions granted to the API server and service accounts, limiting the potential impact of privilege escalation. Monitor API server logs and Kubernetes audit logs for unusual multi-document YAML payload submissions or unauthorized resource creations. Use runtime security tools to detect anomalous behavior indicative of exploitation attempts. Regularly rotate artifact repository credentials and secrets to reduce the window of opportunity for attackers. Conduct thorough security reviews of Kubernetes cluster configurations to ensure that kubectl and other administrative tools are not exposed unnecessarily. Finally, integrate vulnerability scanning and continuous monitoring into the software supply chain to detect and respond to similar threats proactively.