cbcvebase.

Github.Com Kyverno Kyverno vulnerabilities

18 known vulnerabilities affecting github.com/kyverno_kyverno.

Total CVEs
18
CISA KEV
0
Public exploits
1
Exploited in wild
5
Severity breakdown
CRITICAL1HIGH9MEDIUM4UNKNOWN4

Vulnerabilities

Page 1 of 1
CVE-2016-2183P2HIGHCVSS 7.5PoC≥ 0, < 1.9.52023-05-30
CVE-2016-2183 [HIGH] Kyverno vulnerable due to usage of insecure cipher Kyverno vulnerable due to usage of insecure cipher ### Summary Insecure 3DES ciphers are used which may lead to exploitation of the [Sweet32 vulnerability](https://sweet32.info/). Specifically, the ciphers TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) and TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) are allowed. See CVE-2016-2183. This is fixed in Kyverno v1.9.5 and v1.10.0 and no known users have been affected. ### Details
ghsaosv
CVE-2023-47630P3MEDIUMCVSS 5.3Exploited≥ 0, < 1.10.52023-11-14
CVE-2023-47630 [MEDIUM] CWE-200 Attacker can cause Kyverno user to unintentionally consume insecure image Attacker can cause Kyverno user to unintentionally consume insecure image An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno fetch their images from. The attacker could then return a vulnerable image to the the user and leverage that to further escalate
ghsaosv
CVE-2026-22039P2CRITICALCVSS 9.9≥ 0, < 1.15.3≥ 1.16.0-rc.1, < 1.16.32026-01-27
CVE-2026-22039 [CRITICAL] CWE-269 Kyverno Cross-Namespace Privilege Escalation via Policy apiCall Kyverno Cross-Namespace Privilege Escalation via Policy apiCall ### Summary A critical authorization boundary bypass in namespaced Kyverno Policy [apiCall](https://kyverno.io/docs/policy-types/cluster-policy/external-data-sources/#url-paths). The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s nam
ghsaosv
CVE-2023-42815P4UNKNOWNExploited≥ 1.5.0-rc1.0.20230601080528-80d139bb5d1d, < 1.5.0-rc1.0.20230918070231-fec2992e3f9f2024-08-21
CVE-2023-42815 Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno
osv
CVE-2023-42814P4UNKNOWNExploited≥ 1.5.0-rc1.0.20230601080528-80d139bb5d1d, < 1.5.0-rc1.0.20230918070231-fec2992e3f9f2024-08-21
CVE-2023-42814 Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno
osv
CVE-2023-42813P4UNKNOWNExploited≥ 1.5.0-rc1.0.20230601080528-80d139bb5d1d, < 1.5.0-rc1.0.20230918070231-fec2992e3f9f2024-08-21
CVE-2023-42813 Denial of service from malicious manifest in kyverno in github.com/kyverno/kyverno Denial of service from malicious manifest in kyverno in github.com/kyverno/kyverno Denial of service from malicious manifest in kyverno in github.com/kyverno/kyverno
osv
CVE-2023-42816P4UNKNOWNExploited≥ 1.5.0-rc1.0.20230601080528-80d139bb5d1d, < 1.5.0-rc1.0.20230918070231-fec2992e3f9f2024-08-21
CVE-2023-42816 Denial of service from malicious signature in kyverno in github.com/kyverno/kyverno Denial of service from malicious signature in kyverno in github.com/kyverno/kyverno Denial of service from malicious signature in kyverno in github.com/kyverno/kyverno
osv
CVE-2026-4789P3HIGH≥ 1.16.0, < 1.17.02026-04-14
CVE-2026-4789 [HIGH] CWE-918 Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access ## Summary A Server-Side Request Forgery (SSRF) vulnerability in Kyverno's CEL HTTP library (`pkg/cel/libs/http/`) allows users with namespace-scoped policy creation permissions to make arbitrary HTTP requests from the Kyverno admission controller. Th
ghsaosv
CVE-2026-40868P3HIGH≥ 0, < 1.17.02026-04-14
CVE-2026-40868 [HIGH] CWE-441 kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token kyverno’s apiCall servicecall helper implicitly injects `Authorization: Bearer ...` using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because `context.apiCall.service.url` is policy-controlled, this can send the kyve
ghsa
CVE-2025-46342P3HIGH≥ 0, < 1.13.5≥ 1.14.0-alpha.1, < 1.14.02025-04-29
CVE-2025-46342 [HIGH] CWE-1287 Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements ### Summary Due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go` it may happen that policy rules using namespace selector(s) in their `match` statements are mistakenly not applied during admission review reques
ghsaosv
CVE-2023-33191P3MEDIUM≥ 1.9.2, < 1.9.42023-05-25
CVE-2023-33191 [MEDIUM] CWE-284 kyverno seccomp control can be circumvented kyverno seccomp control can be circumvented ### Impact Users of the podSecurity (`validate.podSecurity`) subrule in Kyverno versions v1.9.2 and v1.9.3 may be unable to enforce the check for the Seccomp control at the baseline level when using a `version` value of `latest`. There is no effect if a version number is referenced instead. See the [documentation](https://kyverno.io/docs/writing-policies/validate/#pod-securit
ghsaosv
CVE-2022-47633P3HIGH≥ 1.8.3, < 1.8.52022-12-21
CVE-2022-47633 [HIGH] CWE-287 kyverno verifyImages rule bypass possible with malicious proxy/registry kyverno verifyImages rule bypass possible with malicious proxy/registry ### Impact Users of Kyverno on versions 1.8.3 or 1.8.4 who use `verifyImages` rules to verify container image signatures, and do not prevent use of unknown registries. ### Patches This issue has been fixed in version [1.8.5](https://github.com/kyverno/kyverno/releases/tag/v1.8.5) ### Workarounds Configure a Kyverno pol
ghsaosv
CVE-2026-41485P3HIGH≥ 1.13.0, < 1.16.4≥ 1.17.0-rc.1, < 1.17.22026-04-24
CVE-2026-41485 [HIGH] CWE-617 Kyverno Controller Denial of Service via forEach Mutation Panic Kyverno Controller Denial of Service via forEach Mutation Panic ### Summary An unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operatio
ghsa
CVE-2025-47281P3HIGH≥ 0, < 1.14.22025-07-22
CVE-2025-47281 [HIGH] CWE-20 Kyverno's Improper JMESPath Variable Evaluation Lead to Denial of Service Kyverno's Improper JMESPath Variable Evaluation Lead to Denial of Service ### Summary A Denial of Service (DoS) vulnerability exists in Kyverno due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the `{{@}}` variable combined with a pipe and an invalid JMESPath function (e.g., `{{@ | non_existe
ghsaosv
CVE-2025-29778P3MEDIUM≥ 1.13.0, < 1.14.0-alpha.12025-03-24
CVE-2025-29778 [MEDIUM] CWE-285 Kyverno ignores subjectRegExp and IssuerRegExp Kyverno ignores subjectRegExp and IssuerRegExp ### Summary Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. ### Details Kyverno checks only subject and issuer fields when verifying an artifact's signature: https://github.com/Mohdcode/kyverno/blob/373f94
ghsaosv
CVE-2023-34091P3MEDIUM≥ 0, < 1.10.02023-06-05
CVE-2023-34091 [MEDIUM] CWE-285 Kyverno resource with a deletionTimestamp may allow policy circumvention Kyverno resource with a deletionTimestamp may allow policy circumvention ### Impact In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being conscious
ghsaosv
CVE-2026-23881P3HIGH≥ 0, < 1.15.3≥ 1.16.0-rc.1, < 1.16.32026-01-27
CVE-2026-23881 [HIGH] CWE-770 Kyverno Denial of Service via Context Variable Amplification in Policy Engine Kyverno Denial of Service via Context Variable Amplification in Policy Engine ## Summary Unbounded memory consumption in Kyverno's policy engine allows users with policy creation privileges to cause Denial of Serviceby crafting policies that exponentially amplify string data through context variables. ## Details For example, the `random()` JMESPath function in `pkg/engine/jmespath/func
ghsaosv
CVE-2024-48921P4HIGH≥ 0, < 1.13.02024-10-29
CVE-2024-48921 [HIGH] CWE-285 Kyverno's PolicyException objects can be created in any namespace by default Kyverno's PolicyException objects can be created in any namespace by default ### Summary A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. ### Details By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno n
ghsaosv