cbcvebase.

Kyverno vulnerabilities

20 known vulnerabilities affecting kyverno/kyverno.

Total CVEs
20
CISA KEV
0
Public exploits
0
Exploited in wild
5
Severity breakdown
CRITICAL3HIGH9MEDIUM7LOW1

Vulnerabilities

Page 1 of 1
CVE-2023-47630P3HIGHCVSS 7.1Exploitedfixed in 1.10.52023-11-14
CVE-2023-47630 [HIGH] CWE-345 CVE-2023-47630: Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an at Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The attacker could then return an vulnerable image to the the user and leverage
nvd
CVE-2026-22039P2CRITICALCVSS 9.9fixed in 1.15.3≥ 1.16.0, < 1.16.3+1 more2026-01-27
CVE-2026-22039 [CRITICAL] CWE-269 CVE-2026-22039: Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1 Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the pol
nvd
CVE-2023-42815P4MEDIUMCVSS 5.3Exploitedv>= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, < fec2992e3f9fcd6b9c62267522c09b182e7df73b2023-11-13
CVE-2023-42815 [MEDIUM] CWE-835 CVE-2023-42815: Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno wh Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a
nvd
CVE-2023-42814P4MEDIUMCVSS 5.3Exploitedv>= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, < fec2992e3f9fcd6b9c62267522c09b182e7df73b2023-11-13
CVE-2023-42814 [MEDIUM] CWE-835 CVE-2023-42814: Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno wh Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch attestations. With such a position, the attacker could retu
nvd
CVE-2023-42813P4MEDIUMCVSS 5.3Exploitedv>= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, < fec2992e3f9fcd6b9c62267522c09b182e7df73b2023-11-13
CVE-2023-42813 [MEDIUM] CWE-400 CVE-2023-42813: Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno wh Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch attestations. With such a position, the attacker could retu
nvd
CVE-2023-42816P4MEDIUMCVSS 5.3Exploitedv>= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, < fec2992e3f9fcd6b9c62267522c09b182e7df73b2023-11-13
CVE-2023-42816 [MEDIUM] CWE-345 CVE-2023-42816: Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno wh Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a
nvd
CVE-2026-4789P3CRITICALCVSS 9.8≥ 1.16.0, ≤ 1.17.1v1.16.02026-03-30
CVE-2026-4789 [CRITICAL] CWE-918 CVE-2026-4789: Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions. Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
nvd
CVE-2026-41323P3CRITICALCVSS 9.1fixed in 1.16.4≥ 1.17.0, < 1.17.2+1 more2026-04-24
CVE-2026-41323 [CRITICAL] CWE-200 CVE-2026-41323: Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1 Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including atta
nvd
CVE-2026-40868P3HIGHCVSS 8.1fixed in 1.16.42026-04-21
CVE-2026-40868 [HIGH] CWE-922 CVE-2026-40868: Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, ky Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, th
nvd
CVE-2025-46342P3HIGHCVSS 8.2≤ 1.11.5≥ 1.12.0, < 1.13.5+2 more2025-04-30
CVE-2025-46342 [HIGH] CWE-1287 CVE-2025-46342: Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1 Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function `GetNamespaceSelectorsFromNames
nvd
CVE-2023-33191P3HIGHCVSS 8.8v>= 1.9.2, < 1.9.42023-05-30
CVE-2023-33191 [HIGH] CWE-284 CVE-2023-33191: Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Use Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.
nvd
CVE-2026-41068P3HIGHCVSS 7.7fixed in 1.17.22026-04-24
CVE-2026-41068 [HIGH] CVE-2026-41068: Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2 Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `configMap.namespace` field accepts any namespace with zero valida
nvd
CVE-2022-47633P3HIGHCVSS 8.1v1.8.3v1.8.42022-12-23
CVE-2022-47633 [HIGH] CWE-287 CVE-2022-47633: An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious ima An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.5 and mitigations are available for impacted releases.
nvd
CVE-2026-41485P3HIGHCVSS 7.7≥ 1.13.0, < 1.16.4≥ 1.17.0, < 1.17.2+2 more2026-04-24
CVE-2026-41485 [HIGH] CWE-617 CVE-2026-41485: Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1 Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also
nvd
CVE-2025-29778P3HIGHCVSS 8.0≥ 1.13.0, < 1.13.6fixed in 1.14.0-alpha.12025-03-24
CVE-2025-29778 [HIGH] CWE-285 CVE-2025-29778: Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1. Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthor
nvd
CVE-2025-47281P3HIGHCVSS 7.7fixed in 1.14.22025-07-23
CVE-2025-47281 [HIGH] CWE-20 CVE-2025-47281: Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and
nvd
CVE-2023-34091P3MEDIUMCVSS 6.5fixed in 1.10.02023-06-01
CVE-2023-34091 [MEDIUM] CWE-285 CVE-2023-34091: Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resource Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being
nvd
CVE-2026-23881P3MEDIUMCVSS 6.5fixed in 1.15.3≥ 1.16.0, < 1.16.3+1 more2026-01-27
CVE-2026-23881 [MEDIUM] CWE-770 CVE-2026-23881: Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1 Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions
nvd
CVE-2026-44245P4MEDIUMCVSS 6.1fixed in 2.5.22026-05-12
CVE-2026-44245 [MEDIUM] CWE-79 CVE-2026-44245: Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, mean
nvd
CVE-2024-48921P4LOWCVSS 2.7fixed in 1.13.02024-10-29
CVE-2024-48921 [LOW] CWE-285 CVE-2024-48921: Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privilege Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to
nvd
Kyverno vulnerabilities | cvebase