Skip to main content

Kargo CVE-2026-42350

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-08 GitHub_M
Open Redirect
5.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 09, 2026 - 01:32 vuln.today
CVSS changed
May 08, 2026 - 23:22 NVD
5.1 (MEDIUM)
CVE Published
May 08, 2026 - 22:35 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 22:35 nvd
MEDIUM 5.1

DescriptionNVD

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2.

AnalysisAI

Open redirect vulnerability in Kargo UI OIDC login flow allows unauthenticated remote attackers to redirect users to arbitrary external websites via a malicious redirectTo query parameter. Versions prior to 1.7.10, 1.8.13, 1.9.8, and 1.10.2 are affected. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42350 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy