CVE-2026-42350

EUVD-2026-28857
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2.
Open Redirect
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
5.1 MEDIUM
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
akuitykargo
𝑥
< 1.7.10
CNA
Common Weakness Enumeration
References
https://github.com/akuity/kargo/security/advisories/GHSA-g7gw-m874-7rmf