{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "1.7.10"
              },
              {
                "introduced": "1.8.0-rc.1"
              },
              {
                "fixed": "1.8.13"
              },
              {
                "introduced": "1.9.0-rc.1"
              },
              {
                "fixed": "1.9.8"
              },
              {
                "introduced": "1.10.0-rc.1"
              },
              {
                "fixed": "1.10.2"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2c8f95efe19d6edc3a416b384b3138885cf4bc31"
            },
            {
              "introduced": "ccd41e14522b722e6d7e7253db0432775e03006d"
            },
            {
              "fixed": "50df4b3dfc6e0619553c3bccf70356572b03d7dd"
            },
            {
              "introduced": "43f0d467c3fd15fe4386f184f4cc757d747be041"
            },
            {
              "fixed": "52107be1d392feaf02d640083cc000be5756f557"
            },
            {
              "introduced": "5413c5e4729ba32bf5f4eadefd9584c1ad44e3fe"
            },
            {
              "fixed": "768b2a62dcd70b7b2313290fea6c673e49e0c2d4"
            }
          ],
          "repo": "https://github.com/akuity/kargo",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-g7gw-m874-7rmf"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-601"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42350.json"
  },
  "details": "Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2.",
  "id": "CVE-2026-42350",
  "modified": "2026-07-08T05:37:15.152253147Z",
  "published": "2026-05-08T22:35:30.155Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42350.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/akuity/kargo/security/advisories/GHSA-g7gw-m874-7rmf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42350"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kargo: Open Redirect in UI OIDC Login Flow via redirectTo Query Parameter"
}