FKIE_CVE-2026-22039

Vulnerability from fkie_nvd - Published: 2026-01-27 17:16 - Updated: 2026-02-02 15:13
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
References
security-advisories@github.comhttps://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407bPatch
security-advisories@github.comhttps://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3ePatch
security-advisories@github.comhttps://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2Exploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
kyverno kyverno *
kyverno kyverno *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC83E83A-2BA5-4A52-AF06-06E67CA03749",
              "versionEndExcluding": "1.15.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFFC15A4-197B-44FB-985A-BDDE22679655",
              "versionEndExcluding": "1.16.3",
              "versionStartIncluding": "1.16.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy\u2019s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno\u2019s admission controller identity, targeting any API path allowed by that ServiceAccount\u2019s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability."
    },
    {
      "lang": "es",
      "value": "Kyverno es un motor de pol\u00edticas dise\u00f1ado para equipos de ingenier\u00eda de plataformas nativas de la nube. Las versiones anteriores a la 1.16.3 y 1.15.3 tienen un bypass cr\u00edtico de l\u00edmite de autorizaci\u00f3n en la llamada a la API de pol\u00edtica de Kyverno con espacio de nombres. La \u0027urlPath\u0027 resuelta se ejecuta utilizando la ServiceAccount del controlador de admisi\u00f3n de Kyverno, sin que se aplique que la solicitud est\u00e9 limitada al espacio de nombres de la pol\u00edtica. Como resultado, cualquier usuario autenticado con permiso para crear una pol\u00edtica con espacio de nombres puede hacer que Kyverno realice solicitudes a la API de Kubernetes utilizando la identidad del controlador de admisi\u00f3n de Kyverno, apuntando a cualquier ruta de API permitida por el RBAC de esa ServiceAccount. Esto rompe el aislamiento de espacios de nombres al permitir lecturas entre espacios de nombres (por ejemplo, ConfigMaps y, donde est\u00e9 permitido, Secrets) y permite escrituras a nivel de cl\u00faster o entre espacios de nombres (por ejemplo, la creaci\u00f3n de ClusterPolicies) controlando la \u0027urlPath\u0027 mediante la sustituci\u00f3n de variables de contexto. Las versiones 1.16.3 y 1.15.3 contienen un parche para la vulnerabilidad."
    }
  ],
  "id": "CVE-2026-22039",
  "lastModified": "2026-02-02T15:13:57.440",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-27T17:16:12.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        },
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.