Open Redirect Vulnerability in Kargo Software Management Tool
CVE-2026-42350

5.1MEDIUM

Key Information:

Vendor: Akuity
Status: Kargo
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42350?

Kargo, a tool designed to manage and automate the promotion of software artifacts, is susceptible to an open redirect vulnerability. This flaw allows attackers to manipulate the 'redirectTo' query parameter in the UI OIDC login flow, potentially redirecting users to malicious sites. This issue affects versions prior to 1.7.10, 1.8.13, 1.9.8, and 1.10.2, which have since been patched. To protect against this vulnerability, Kargo users are encouraged to update to the latest versions.

Affected Version(s)

kargo < 1.7.10 < 1.7.10

kargo >= 1.8.0-rc.1, < 1.8.13 < 1.8.0-rc.1, 1.8.13

kargo >= 1.9.0-rc.1, < 1.9.8 < 1.9.0-rc.1, 1.9.8

References

https://github.com/akuity/kargo/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42350 Data

JSON

Akuity

What is CVE-2026-42350?

Affected Version(s)

References

CVSS V4

Timeline