CVE-2026-4789
published 2026-03-30CVE-2026-4789: Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.70%
48.7th percentile
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kyverno_kyverno | >= 1.16.0 < 1.17.0 | 1.17.0 |
| github.com | kyverno_kyverno | 1.16.0 – 1.17.1 | — |
| kyverno | kyverno | — | — |
| kyverno | kyverno | 1.16.0 – 1.17.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access
ghsa·2026-04-14
CVE-2026-4789 [HIGH] CWE-918 Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access
## Summary
A Server-Side Request Forgery (SSRF) vulnerability in Kyverno's CEL HTTP library (`pkg/cel/libs/http/`) allows users with namespace-scoped policy creation permissions to make arbitrary HTTP requests from the Kyverno admission controller. This enables unauthorized access to internal services in other namespaces, cloud metadata endpoints (169.254.169.254), and data exfiltration via policy error messages.
## Affected Versions
- Kyverno >= 1.16.0 (with `policies.kyverno.io` CRDs enabled, which is the default)
- Tested on: Kyverno v1.16.2 (Helm chart 3.6.2)
## Details
The `http.Get()` and `http.Post()` functions available in CEL-based policies (`policies.kyverno.io` API
OSV
Kyverno is vulnerable to server-side request forgery (SSRF)
osv·2026-03-30
CVE-2026-4789 [MEDIUM] Kyverno is vulnerable to server-side request forgery (SSRF)
Kyverno is vulnerable to server-side request forgery (SSRF)
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
GHSA
Kyverno is vulnerable to server-side request forgery (SSRF)
ghsa·2026-03-30
CVE-2026-4789 [MEDIUM] CWE-918 Kyverno is vulnerable to server-side request forgery (SSRF)
Kyverno is vulnerable to server-side request forgery (SSRF)
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
blogs_hackernews·2026-04-06
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there.
One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react.
That’s this week. Read through it.
## ⚡ Threat of the Week
Axios npm Package Compromised by N. Korean Hackers —Threat actors with ties to North Korea seized control of the npm account belonging to the lead m
Wiz
CVE-2026-4789 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-4789 [HIGH] CVE-2026-4789 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4789 :
Kyverno vulnerability analysis and mitigation
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
Source : NVD
## 9.8
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Kyverno
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kyverno:kyverno
kyverno
Sources
Chainguard No Fix Added at: Mar 31, 2026
GoLang Severity MEDIUM No Fix Added at: Apr 02, 2026
Homebrew Severity CRITICAL No Fix Added at: Apr 06, 2026
Nix Severity CRITICAL No Fix Added at: Apr 06, 2026
Linux Severity CRITICAL Has Fix Added at:
2026-03-30
Published