CVE-2026-42350 Overview
CVE-2026-42350 is an open redirect vulnerability [CWE-601] in Kargo, an open-source tool that manages and automates the promotion of software artifacts. The flaw exists in the user interface OpenID Connect (OIDC) login flow and is triggered through the redirectTo query parameter. An attacker can craft a malicious login URL that redirects an authenticated user to an attacker-controlled domain after the OIDC flow completes. The vulnerability affects Kargo versions prior to 1.7.10, 1.8.13, 1.9.8, and 1.10.2.
Critical Impact
Attackers can leverage the trusted Kargo domain to redirect users to credential-harvesting or malware delivery sites, enabling phishing campaigns against DevOps and platform engineering teams.
Affected Products
- Kargo versions prior to 1.7.10
- Kargo versions prior to 1.8.13, 1.9.8
- Kargo versions prior to 1.10.2
Discovery Timeline
- 2026-05-08 - CVE-2026-42350 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42350
Vulnerability Analysis
Kargo exposes a web UI that authenticates users through an OIDC identity provider. The login flow accepts a redirectTo query parameter that determines where the user is sent after successful authentication. The application fails to validate that the supplied value points to a same-origin destination, allowing arbitrary external URLs to be supplied.
The vulnerability is classified under [CWE-601] URL Redirection to Untrusted Site. Exploitation requires user interaction, since the victim must click a malicious link, but does not require any privileges on the Kargo instance. The attack succeeds against unauthenticated visitors as well, since the redirect occurs within the OIDC handshake. The EPSS score is 0.054% with a percentile of 16.845.
Root Cause
The redirectTo parameter is consumed by the UI OIDC handler without applying an allowlist of permitted destinations or a same-origin check. The application trusts user-supplied input as the post-login navigation target, which violates secure redirect handling practices.
Attack Vector
An attacker constructs a URL pointing to a legitimate Kargo deployment with the redirectTo parameter set to an attacker-controlled domain. The victim sees the trusted Kargo hostname and proceeds with authentication. After the OIDC callback completes, the browser is redirected to the malicious site, which can impersonate the Kargo login page, prompt for additional credentials, or serve drive-by malware. See the GitHub Security Advisory GHSA-g7gw-m874-7rmf for technical details on the affected code path.
Detection Methods for CVE-2026-42350
Indicators of Compromise
- HTTP requests to Kargo UI login endpoints containing a redirectTo query parameter whose value resolves to an external domain.
- Web server access logs showing login URLs with URL-encoded external hostnames in the redirectTo parameter.
- Reports from users of unexpected redirects to look-alike login pages after authenticating to Kargo.
Detection Strategies
- Inspect reverse proxy and ingress logs in front of Kargo for redirectTo values that do not match the Kargo deployment hostname.
- Add Web Application Firewall (WAF) rules that flag or block requests where redirectTo contains a scheme, double slashes, or an unknown FQDN.
- Correlate user-reported phishing events with the originating Kargo login URL to identify abuse of vulnerable instances.
Monitoring Recommendations
- Forward Kargo UI access logs and OIDC provider logs to a centralized analytics platform to baseline normal redirectTo usage.
- Alert on outbound HTTP referers from authenticated Kargo sessions pointing to newly registered or low-reputation domains.
- Monitor authentication anomalies on identity providers federated with Kargo, such as logins from atypical geolocations following a redirect event.
How to Mitigate CVE-2026-42350
Immediate Actions Required
- Upgrade Kargo to version 1.7.10, 1.8.13, 1.9.8, or 1.10.2 depending on the deployed branch.
- Audit recent UI access logs for suspicious redirectTo values and notify users who may have followed malicious links.
- Rotate OIDC client secrets and any session tokens issued during the exposure window if abuse is suspected.
Patch Information
The issue has been patched in Kargo versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2. Patch details are documented in the GitHub Security Advisory GHSA-g7gw-m874-7rmf.
Workarounds
- Restrict access to the Kargo UI to trusted networks or VPN ranges until the upgrade is applied.
- Deploy a WAF rule that rejects requests to the OIDC login endpoint when redirectTo is absolute or references an external host.
- Train DevOps and platform engineering users to verify the destination URL after Kargo authentication and to report unexpected redirects.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
