How severe is GHSA-j94x-8wcp-x7hm?

No CVSS score has been assigned to GHSA-j94x-8wcp-x7hm yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-j94x-8wcp-x7hm?

GHSA-j94x-8wcp-x7hm affects the following packages: github.com/akuity/kargo (Go), github.com/akuity/kargo (Go), github.com/akuity/kargo (Go), github.com/akuity/kargo (Go). Ecosystems affected: Go.

How do I fix GHSA-j94x-8wcp-x7hm?

Update github.com/akuity/kargo to 1.6.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-j94x-8wcp-x7hm is resolved across your whole dependency graph.

How do I detect GHSA-j94x-8wcp-x7hm in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/akuity/kargo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-j94x-8wcp-x7hm if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-j94x-8wcp-x7hm?

O3 pinpoints whether GHSA-j94x-8wcp-x7hm is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-j94x-8wcp-x7hm actively exploited in the wild?

No public exploit code has been indexed for GHSA-j94x-8wcp-x7hm yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-j94x-8wcp-x7hm?

GHSA-j94x-8wcp-x7hm has an EPSS (Exploit Prediction Scoring System) score of 0.3%, placing it in the 24th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-j94x-8wcp-x7hm?

GHSA-j94x-8wcp-x7hm is classified as Server-Side Request Forgery (SSRF) (CWE-918). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-j94x-8wcp-x7hm published, and has it been updated?

GHSA-j94x-8wcp-x7hm was published on March 16, 2026 and was last updated on March 26, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-j94x-8wcp-x7hm

Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration

Also known asCVE-2026-32828GO-2026-4717

Published

Mar 16, 2026

Updated

Mar 26, 2026

Affected

4 pkgs

Patched

4 / 4

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.3%probability of exploitation in next 30 days

Lower Risk24th percentile+0.32%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

4 pkgs affected

🐹github.com/akuity/kargo🐹github.com/akuity/kargo🐹github.com/akuity/kargo🐹github.com/akuity/kargo

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

Kargo's built-in http and http-download promotion steps execute outbound HTTP requests from the Kargo controller. By design, these steps do not restrict destination addresses, as there are legitimate use cases for requests to internal and private endpoints. However, this also permits requests to link-local addresses, for which there are no known, legitimate use cases. Of particular concern is the cloud instance metadata endpoint (often 169.254.169.254), which is unauthenticated and can expose sensitive configuration data including IAM credentials. While cloud providers typically implement header-based SSRF mitigations for these endpoints, the http step provides full control over request method and headers, rendering these protections ineffective. The http-download step provides control over headers only (not method), but this is still sufficient for exfiltrating data from metadata endpoints.

There are two vectors for exploitation. A user with permission to create or update a Stage can configure its promotion template to include malicious http or http-download steps. Alternatively, a user with promote permission on any Stage can craft a Promotion resource directly. In either case, the controller executes the steps in-cluster, and response data can be inserted into Promotion status fields, written to a Git repository, or sent to a remote location using a second instance of the http step.

The remediation for this issue is the introduction of a safe HTTP transport that refuses to dial link-local addresses. Requests to private and internal addresses will continue to be permitted, as this is by design. It is the responsibility of services at such addresses to implement proper authentication and authorization, and/or the responsibility of platform teams to define and enforce network policies that restrict traffic appropriately.

Base Metrics

The following sections provide the rationale for the values selected for each of CVSS v4's base metrics.

Attack Vector (AV): Network

The Kargo API server is accessible over HTTP/HTTPS. No local, adjacent network, or physical access is required.

Attack Complexity (AC): Low

Exploitation requires only a crafted Promotion manifest submitted via the Kargo API. No race conditions, non-default configurations, or prior information gathering is required.

Attack Requirements (AT): None

No specific environmental conditions are required beyond a standard Kargo deployment. The http and http-download built-in steps are always available.

Privileges Required (PR): High

The attacker must be authenticated to the Kargo API server and hold permissions sufficient to create or update a Stage, or to craft a Promotion resource directly. Although these may not be considered administrative permissions, they are non-trivial, not granted broadly by default, and must be explicitly assigned by a project administrator.

User Interaction (UI): None

The attack is fully automated via API calls. No other user needs to take any action. The controller processes the malicious Promotion without human intervention.

Confidentiality Impact to Vulnerable System (VC): None

Kargo itself does not expose its own secrets or configuration data through this vulnerability. The impact is to other systems reachable from the controller's network position, not to Kargo's own data.

Integrity Impact to Vulnerable System (VI): None

Kargo's own data and configuration are not modified by this vulnerability. While malicious Promotion resources are created, they function within Kargo's normal processing pipeline.

Availability Impact to Vulnerable System (VA): None

This vulnerability does not enable denial of service against Kargo. Each Promotion executes a bounded set of HTTP requests and does not consume disproportionate resources.

Confidentiality Impact to Subsequent Systems (SC): Low

The controller runs in-cluster and can reach link-local addresses, including cloud instance metadata endpoints. These endpoints are unauthenticated and can expose sensitive data such as IAM credentials. Provider-side header-based SSRF mitigations are ineffective because these steps provide full control over request headers.

Integrity Impact to Subsequent Systems (SI): None

Cloud instance metadata endpoints are read-only. While the http step supports arbitrary HTTP methods, the only unintended access enabled by this vulnerability is to link-local addresses, and these do not accept state-changing requests.

Availability Impact to Subsequent Systems (SA): None

A single HTTP request per promotion step does not constitute a meaningful denial-of-service vector against subsequent systems. There is no amplification mechanism.

Mitigating Factors

Exploitation requires authentication to the Kargo API server with permissions to create or update Stages, or to craft Promotion resources directly. These permissions must be explicitly granted by a project administrator.
All Promotion creation is audited. The creating user's identity is recorded in annotations and Kubernetes events, providing a clear forensic trail.
The practical impact is limited to cloud instance metadata endpoints. Access to private and internal addresses is by design, and services at those addresses are expected to implement their own authentication and authorization.

Affected Packages

4 total 4 fixed

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/akuity/kargo`	≥ 1.4.0&&< 1.6.4	1.6.4
🐹Go	`github.com/akuity/kargo`	≥ 1.7.0-rc.1&&< 1.7.9	1.7.9
🐹Go	`github.com/akuity/kargo`	≥ 1.8.0-rc.1&&< 1.8.12	1.8.12
🐹Go	`github.com/akuity/kargo`	≥ 1.9.0-rc.1&&< 1.9.5	1.9.5

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/akuity/kargo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/akuity/kargo to 1.6.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-j94x-8wcp-x7hm is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-j94x-8wcp-x7hm is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-j94x-8wcp-x7hm. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary Kargo's built-in `http` and `http-download` promotion steps execute outbound HTTP requests from the Kargo controller. By design, these steps do not restrict destination addresses, as there are legitimate use cases for requests to internal and private endpoints. However, this also permits requests to link-local addresses, for which there are no known, legitimate use cases. Of particular concern is the cloud instance metadata endpoint (often `169.254.169.254`), which is unauthenticated and can expose sensitive configuration data including IAM credentials. While cloud providers typica

O3 Security · Impact-Aware SCA

Is GHSA-j94x-8wcp-x7hm in your dependencies?

O3 detects GHSA-j94x-8wcp-x7hm across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works