CVE-2026-41323

CRITICAL EPSS 42.4%
Published Apr 24, 20262mo ago · Modified Jun 17, 20262w ago
9.1 CVSS 3.1
Critical
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue.

CVSS Details

Base Score
9.1
Exploitability
2.3
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
42.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 2

VendorProductVersionRange
kyvernokyverno* <1.16.4
kyvernokyverno*≥1.17.0  –  <1.17.2

References 4

  • github.com https://github.com/kyverno/kyverno/commit/bc4f91c4801b1eaa2edc0a14e2f1b0af8cf0c1f5
    Patch
  • github.com https://github.com/kyverno/kyverno/commit/c2eab00033e635bda4e4efb58c1b472b41728bb6
    Patch
  • github.com https://github.com/kyverno/kyverno/commit/f70e8ac1e7acd2e3844f9553e4a884f07f953de0
    Patch
  • github.com https://github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/kyverno/kyverno/commit/bc4f91c4801b1eaa2edc0a14e2f1b0af8cf0c1f5
    Patch
  • github.com https://github.com/kyverno/kyverno/commit/c2eab00033e635bda4e4efb58c1b472b41728bb6
    Patch
  • github.com https://github.com/kyverno/kyverno/commit/f70e8ac1e7acd2e3844f9553e4a884f07f953de0
    Patch