Cyber Resilience

CVE-2026-32828

Low

Published: 20 March 2026

Published
20 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 2.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.5th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-32828 is a low-severity SSRF (CWE-918) vulnerability in Akuity Kargo. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1552.005); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kargo manages and automates the promotion of software artifacts. In versions 1.4.0 through 1.6.3, 1.7.0-rc.1 through 1.7.8, 1.8.0-rc.1 through 1.8.11, and 1.9.0-rc.1 through 1.9.4, the http and http-download promotion steps allow Server-Side Request Forgery (SSRF) against link-local addresses, most critically…

more

the cloud instance metadata endpoint (169.254.169.254), enabling exfiltration of sensitive data such as IAM credentials. These steps provide full control over request headers and methods, rendering cloud provider header-based SSRF mitigations ineffective. An authenticated attacker with permissions to create/update Stages or craft Promotion resources can exploit this by submitting a malicious Promotion manifest, with response data retrievable via Promotion status fields, Git repositories, or a second http step. This issue has been fixed in versions 1.6.4, 1.7.9, 1.8.12 and 1.9.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF to 169.254.169.254 directly enables Cloud Instance Metadata API access for IAM credential theft.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

akuity
kargo
1.4.0 — 1.6.4 · 1.7.0 — 1.7.9 · 1.8.0 — 1.8.12

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References