Code Injection Vulnerability in Kargo Software Management by Akuity
CVE-2026-27112

9.4CRITICAL

Key Information:

Vendor: Akuity
Status: Kargo
Vendor: CVE Published:; 20 February 2026

What is CVE-2026-27112?

Kargo, a software artifact management and automation tool, contains a vulnerability in the batch resource creation endpoints of its legacy gRPC API and REST API. This flaw allows specially crafted multi-document YAML payloads to exploit a logic bug, enabling attackers to inject arbitrary resources into an existing project's namespace with the API server's permissions. This unauthorized access can lead to privilege escalation, remote code execution, or the exfiltration of sensitive secrets such as artifact repository credentials. In certain configurations, attackers can use elevated permissions to execute further attacks using kubectl, simplifying the exploitation process. The vulnerability has been addressed in versions v1.7.8, v1.8.11, and v1.9.3.

Affected Version(s)

kargo >= 1.9.0-rc.1, < 1.9.3 < 1.9.0-rc.1, 1.9.3

kargo >= 1.8.0-rc.1, < 1.8.11 < 1.8.0-rc.1, 1.8.11

kargo >= 1.7.0, < 1.7.8 < 1.7.0, 1.7.8

References

https://github.com/akuity/kargo/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/akuity/kargo/commit/155c6852ffbffa2902...

x_refsource_MISC

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 17, 2026

CVE-2026-27112 Data

JSON