CVE-2026-22039

Medienbericht

Exploit

EPSS 0.52%
Veröffentlicht 27.01.2026 16:07:19
Zuletzt bearbeitet 02.02.2026 15:13:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Kyverno Cross-Namespace Privilege Escalation via Policy apiCall

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 7

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kyverno ≫ Kyverno Version < 1.15.3

Kyverno ≫ Kyverno Version >= 1.16.0 < 1.16.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.52%	0.397

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

20.04.2026 16:46

https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2

Vendor Advisory

Exploit

Mitigation

https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b

Patch

https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-22039

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22039

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22039

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-22039