CVE-2026-22039
published 2026-01-27CVE-2026-22039: Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary…
PriorityP267critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.52%
40.0th percentile
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kyverno_kyverno | >= 0 < 1.15.3 | 1.15.3 |
| github.com | kyverno_kyverno | 0 – 1.17.1 | — |
| github.com | kyverno_kyverno | >= 1.16.0-rc.1 < 1.16.3 | 1.16.3 |
| kyverno | kyverno | < 1.17.2 | 1.17.2 |
| kyverno | kyverno | < 1.17.2 | 1.17.2 |
| kyverno | kyverno | < 1.15.3 | 1.15.3 |
| kyverno | kyverno | >= 1.16.0 < 1.16.3 | 1.16.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Kyverno policy engine for cross-namespace ConfigMap reads: the `configMap.namespace` field in Kyverno ClusterPolicy/Policy resources accepts any namespace without validation, allowing a namespace-scoped admin to read ConfigMaps from arbitrary namespaces using Kyverno's privileged service account. ↗
- →Alert on Kyverno service account performing cross-namespace ConfigMap GET/LIST operations in Kubernetes audit logs, particularly where the requesting namespace differs from the ConfigMap's namespace — this indicates potential RBAC bypass exploitation. ↗
- ·The fix for CVE-2026-22039 only patched the `apiCall` context URLPath field; the ConfigMap context loader (`configMap.namespace`) was left unpatched until version 1.17.2. Environments running Kyverno below 1.17.2 remain vulnerable to cross-namespace privilege escalation via the ConfigMap context. ↗
- ·An updated fix is available in Kyverno version 1.17.2. Upgrade is required to remediate the ConfigMap namespace validation bypass. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
ghsa·2026-04-16·CVSS 9.9
CVE-2026-22039 [CRITICAL] CWE-863 Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
### Summary
CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the **ConfigMap context loader has the identical vulnerability** — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters.
### Details
**Root cause:** The CVE-2026-22039 fix in `pkg/engine/apicall/apiCall.go` (lines 73-83) validates that `URLPath` references only the policy's own namespace using regex. However, the ConfigMap context loader at `pkg/engine/context/loa
OSV
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall in github.com/kyverno/kyverno
osv·2026-02-02
CVE-2026-22039 Kyverno Cross-Namespace Privilege Escalation via Policy apiCall in github.com/kyverno/kyverno
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall in github.com/kyverno/kyverno
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall in github.com/kyverno/kyverno
OSV
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
osv·2026-01-27
CVE-2026-22039 [CRITICAL] Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
### Summary
A critical authorization boundary bypass in namespaced Kyverno Policy [apiCall](https://kyverno.io/docs/policy-types/cluster-policy/external-data-sources/#url-paths). The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace.
As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scop
GHSA
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
ghsa·2026-01-27
CVE-2026-22039 [CRITICAL] CWE-269 Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
### Summary
A critical authorization boundary bypass in namespaced Kyverno Policy [apiCall](https://kyverno.io/docs/policy-types/cluster-policy/external-data-sources/#url-paths). The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace.
As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scop
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
Wiz
CVE-2026-22039 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-22039 [CRITICAL] CVE-2026-22039 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22039 :
Wolfi vulnerability analysis and mitigation
urlPath
Source : NVD
## 9.9
Score
Published January 27, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:kyverno:kyverno
github.com/kyverno/kyverno
Sources
Chainguard Has Fix Added at: Jan 28, 2026
GoLang Severity CRITICAL Has Fix Added at: Jan 27, 2026
Homebrew Severity CRITICAL Has Fix Added at: Feb 04, 2026
MinimOS Severity CRITICAL Has Fix Added at: Jan 28, 2026
Nix Severity CRITICAL Has Fix Added at: Feb 04, 2026
Linux Severity CRITICAL Has Fix Added
Wiz
CVE-2026-4789 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-4789 [HIGH] CVE-2026-4789 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4789 :
Kyverno vulnerability analysis and mitigation
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
Source : NVD
## 9.8
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Kyverno
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kyverno:kyverno
kyverno
Sources
Chainguard No Fix Added at: Mar 31, 2026
GoLang Severity MEDIUM No Fix Added at: Apr 02, 2026
Homebrew Severity CRITICAL No Fix Added at: Apr 06, 2026
Nix Severity CRITICAL No Fix Added at: Apr 06, 2026
Linux Severity CRITICAL Has Fix Added at:
2026-01-27
Published