CVE-2026-27112 is an incorrect authorization vulnerability (CWE-863) found in akuity kargo, a tool that manages and automates software artifact promotion. The flaw exists in the batch resource creation endpoints of both the legacy gRPC API and the newer REST API, which accept multi-document YAML payloads. Due to a logic bug in these endpoints, specially crafted payloads can inject arbitrary resources of specific types into the namespace of an existing Project without proper authorization checks. This injection occurs with the API server's own permissions, which are typically elevated, allowing attackers to escalate their privileges beyond intended limits. Exploiting this vulnerability does not require user interaction or prior authentication but does require some level of privileges (PR:L). Once escalated, attackers can achieve remote code execution or exfiltrate secrets such as artifact repository credentials. These credentials can then be used to conduct further attacks within the environment. In Kubernetes clusters underlying the kargo control plane, certain configurations allow attackers to leverage kubectl with elevated permissions to simplify remote code execution or secret theft, although the worst-case scenarios remain achievable without this. The vulnerability affects versions from 1.7.0 up to but not including 1.7.8, 1.8.11, and 1.9.3, where it has been patched. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, and high impacts on confidentiality, integrity, and availability, confirming the critical nature of this vulnerability.

The impact of CVE-2026-27112 is severe for organizations using affected versions of akuity kargo. Successful exploitation allows attackers to bypass authorization controls and inject arbitrary resources into project namespaces, effectively escalating their privileges. This can lead to remote code execution within the Kubernetes environment, compromising the integrity and availability of critical infrastructure. Secret exfiltration, including artifact repository credentials, can facilitate lateral movement and further compromise of software supply chains. Organizations relying on kargo for artifact promotion risk supply chain attacks, data breaches, and operational disruption. The ability to exploit this vulnerability remotely and without user interaction increases the attack surface and likelihood of exploitation. In Kubernetes clusters with permissive configurations, attackers can leverage kubectl to simplify exploitation, exacerbating the risk. Overall, this vulnerability threatens confidentiality, integrity, and availability of software delivery pipelines and underlying infrastructure, potentially impacting development, deployment, and production environments globally.

To mitigate CVE-2026-27112, organizations should immediately upgrade akuity kargo to versions 1.7.8, 1.8.11, or 1.9.3 or later, where the vulnerability is patched. Until upgrades are applied, restrict access to kargo APIs by implementing strict network segmentation and firewall rules to limit exposure to trusted users and systems only. Employ Kubernetes Role-Based Access Control (RBAC) policies to minimize permissions granted to kargo components and users, ensuring least privilege principles are enforced. Monitor API usage logs for anomalous multi-document YAML payloads or unusual resource creation patterns indicative of exploitation attempts. Rotate and audit artifact repository credentials regularly to reduce the impact of potential exfiltration. Additionally, review and harden Kubernetes cluster configurations, especially controlling kubectl access and ensuring that service accounts used by kargo have minimal privileges. Implement runtime security monitoring and intrusion detection to detect suspicious activities related to resource injection or privilege escalation. Finally, conduct security awareness training for DevOps and security teams to recognize and respond to exploitation attempts targeting software supply chain tools.