CVE-2026-42350

Source
https://cve.org/CVERecord?id=CVE-2026-42350
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42350.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42350
Aliases
  • GHSA-g7gw-m874-7rmf
Published
2026-05-08T22:35:30.155Z
Modified
2026-07-08T08:13:16.339583781Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Kargo: Open Redirect in UI OIDC Login Flow via redirectTo Query Parameter
Details

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42350.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-601"
    ]
}
References

Affected packages

Git / github.com/akuity/kargo

Affected ranges

Type
GIT
Repo
https://github.com/akuity/kargo
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.7.10"
        },
        {
            "introduced": "1.8.0-rc.1"
        },
        {
            "fixed": "1.8.13"
        },
        {
            "introduced": "1.9.0-rc.1"
        },
        {
            "fixed": "1.9.8"
        },
        {
            "introduced": "1.10.0-rc.1"
        },
        {
            "fixed": "1.10.2"
        }
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.0-rc.1
v0.1.0-rc.10
v0.1.0-rc.11
v0.1.0-rc.12
v0.1.0-rc.13
v0.1.0-rc.14
v0.1.0-rc.15
v0.1.0-rc.16
v0.1.0-rc.17
v0.1.0-rc.18
v0.1.0-rc.19
v0.1.0-rc.2
v0.1.0-rc.20
v0.1.0-rc.21
v0.1.0-rc.22
v0.1.0-rc.23
v0.1.0-rc.24
v0.1.0-rc.3
v0.1.0-rc.4
v0.1.0-rc.5
v0.1.0-rc.6
v0.1.0-rc.7
v0.1.0-rc.8
v0.1.0-rc.9
v0.1.1-rc.1
v0.1.1-rc.2
v0.2.0
v0.2.0-rc.1
v0.2.0-rc.2
v0.3.0-alpha.1
v0.3.0-rc.1
v0.4.0-rc.1
v0.5.0-rc.1
v0.6.0-rc.1
v0.7.0-rc.1
v0.7.1
v0.8.0-rc.1
v1.*
v1.0.0
v1.0.0-rc.1
v1.0.0-rc.2
v1.0.0-rc.3
v1.0.0-rc.4
v1.0.0-rc.5
v1.1.0-rc.1
v1.1.0-rc.2
v1.1.2-rc.1
v1.10.0
v1.10.0-rc.1
v1.10.0-rc.2
v1.10.0-rc.3
v1.10.0-rc.4
v1.10.0-rc.5
v1.10.0-rc.6
v1.10.0-rc.7
v1.10.0-rc.8
v1.10.1
v1.2.0-rc.1
v1.2.0-soak-time-preview
v1.4.0-rc.1
v1.5.0-rc.1
v1.6.0-rc.1
v1.7.0
v1.7.0-rc.1
v1.7.0-rc.2
v1.7.0-rc.3
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.8.0-rc.1
v1.8.0-rc.2
v1.8.0-rc.3
v1.8.0-rc.4
v1.8.0-rc.5
v1.8.0-rc.6
v1.8.0-rc.7
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.0-rc.1
v1.9.0-rc.2
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42350.json"