Vulnerability DatabaseCVE-2026-32828
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-32828
March 20, 2026
Kargo manages and automates the promotion of software artifacts. In versions 1.4.0 through 1.6.3, 1.7.0-rc.1 through 1.7.8, 1.8.0-rc.1 through 1.8.11, and 1.9.0-rc.1 through 1.9.4, the http and http-download promotion steps allow Server-Side Request Forgery (SSRF) against link-local addresses, most critically the cloud instance metadata endpoint (169.254.169.254), enabling exfiltration of sensitive data such as IAM credentials. These steps provide full control over request headers and methods, rendering cloud provider header-based SSRF mitigations ineffective. An authenticated attacker with permissions to create/update Stages or craft Promotion resources can exploit this by submitting a malicious Promotion manifest, with response data retrievable via Promotion status fields, Git repositories, or a second http step. This issue has been fixed in versions 1.6.4, 1.7.9, 1.8.12 and 1.9.5.
Affected Packages
https://github.com/akuity/kargo.git (GITHUB):
Affected version(s) >=v1.7.0 <v1.7.9
Fix Suggestion:
Update to version v1.7.9
https://github.com/akuity/kargo.git (GITHUB):
Affected version(s) >=v1.8.0 <v1.8.12
Fix Suggestion:
Update to version v1.8.12
https://github.com/akuity/kargo.git (GITHUB):
Affected version(s) >=v1.6.0 <v1.6.4
Fix Suggestion:
Update to version v1.6.4
https://github.com/akuity/kargo.git (GITHUB):
Affected version(s) >=v1.9.0 <v1.9.5
Fix Suggestion:
Update to version v1.9.5
github.com/akuity/kargo (GO):
Affected version(s) >=v1.9.0-rc.1 <v1.9.5
Fix Suggestion:
Update to version v1.9.5
github.com/akuity/kargo (GO):
Affected version(s) >=v1.4.0 <v1.6.4
Fix Suggestion:
Update to version v1.6.4
github.com/akuity/kargo (GO):
Affected version(s) >=v1.7.0-rc.1 <v1.7.9
Fix Suggestion:
Update to version v1.7.9
github.com/akuity/kargo (GO):
Affected version(s) >=v1.8.0-rc.1 <v1.8.12
Fix Suggestion:
Update to version v1.8.12
Related ResourcesĀ (4)
https://github.com/akuity/kargo/security/advisories/GHSA-j94x-8wcp-x7hm
https://github.com/akuity/kargo
https://nvd.nist.gov/vuln/detail/CVE-2026-32828
https://github.com/akuity/kargo/commit/fd25620c2473ed19bec4be4d0f181287ef0f0391
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
CWE-918
EPSS
Base Score:
0.04