CVE-2026-47191

Name of the Vulnerable Software and Affected Versions kas versions prior to 5.3

Description Users relying exclusively on a git commit ID (SHA-1 or SHA-256) to verify if a repository checkout matches a validated state in a kas configuration may be deceived into checking out a branch with the same name. This occurs if an attacker takes over the referenced repository and modifies it to include such a branch. While SHA-1 commits are susceptible to hash collisions, this issue primarily impacts SHA-256 commit IDs.

Recommendations Update to version 5.3. Avoid relying solely on the commit ID for integrity validation of repositories that could be controlled by a malicious third party. Validate cryptographically signed commits or tags if available. Mirror the repository to a secure location, validate its integrity, and use the mirror instead of the original repository.