Skip to content
CVSS 8.1 · HIGH

CVE-2026-41323

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue.

Ver en NVD

Análisis

Kyverno users should update immediately to address a high-severity flaw in ClusterPolicy API calls. The admission controller's high-privilege ServiceAccount token is automatically attached to outgoing requests without URL validation, allowing an attacker to steal the token and achieve full cluster compromise. Patches are available in versions 1.16.4, 1.17.2-rc1, and 1.18.0-rc1.

Severidad

Puntaje: 8.1(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-200CWE-918

EPSS

Probabilidad de explotación (próx. 30 días): 0.0003 (0.0%)
Percentil: 7.1%
EPSS: 2026-05-06

Afecta

kyverno:kyverno

Descripción técnica

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue.

Publicada: 24/4/2026, 4:16:20
Última modificación: 27/4/2026, 17:53:22

Referencias

InicioEventosBlogRecursosEquipo