CVE-2026-27111

Name of the Vulnerable Software and Affected Versions Kargo versions 1.9.0 through 1.9.2

Description Kargo manages and automates the promotion of software artifacts. The authorization model includes a 'promote' verb intended to control access to promotion pipelines. While correctly enforced in the gRPC API, three endpoints in the REST API omit this check, relying solely on standard Kubernetes RBAC. This allows users with standard permissions, but without explicit 'promote' access, to bypass intended authorization boundaries. The affected API Endpoints are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. The issue stems from a missing authorization check for the 'promote' verb on these endpoints.

Recommendations Upgrade to version 1.9.3 or later to resolve this issue.