CVE-2026-32828

Name of the Vulnerable Software and Affected Versions Kargo versions 1.4.0 through 1.6.3 Kargo versions 1.7.0-rc.1 through 1.7.8 Kargo versions 1.8.0-rc.1 through 1.8.11 Kargo versions 1.9.0-rc.1 through 1.9.4

Description Kargo's built-in http and http-download promotion steps allow Server-Side Request Forgery (SSRF) against link-local addresses, specifically the cloud instance metadata endpoint (169.254.169.254). These steps provide full control over request headers and methods, bypassing cloud provider header-based SSRF mitigations. An authenticated attacker with permissions to create or update Stages or craft Promotion resources can exploit this by submitting a malicious Promotion manifest. Response data can be retrieved via Promotion status fields, Git repositories, or a second http step. The issue enables the exfiltration of sensitive data, such as IAM credentials. The http step provides full control over request method and headers, while the http-download step provides control over headers only.

Recommendations Versions 1.4.0 through 1.6.3 should be upgraded to version 1.6.4 or later. Versions 1.7.0-rc.1 through 1.7.8 should be upgraded to version 1.7.9 or later. Versions 1.8.0-rc.1 through 1.8.11 should be upgraded to version 1.8.12 or later. Versions 1.9.0-rc.1 through 1.9.4 should be upgraded to version 1.9.5 or later.