Authorization Boundary Bypass in Kyverno Policy Engine Affects Cloud Security
CVE-2026-22039

10CRITICAL

Key Information:

Vendor

Kyverno

Status
Kyverno
Vendor
CVE Published:
27 January 2026

What is CVE-2026-22039?

Kyverno, a policy engine tailored for cloud-native infrastructure, contains a vulnerability that allows an authenticated user with permissions to create a namespaced Policy to bypass authorization boundaries. This defect primarily affects versions 1.16.2 and earlier, as well as 1.15.2 and earlier. The vulnerability permits unauthorized API requests to be executed using Kyverno's admission controller identity, enabling cross-namespace access to sensitive resources like ConfigMaps and Secrets. This breach of namespace isolation can lead to unauthorized data access, raising significant security concerns for Kubernetes environments. Versions 1.16.3 and 1.15.3 restore necessary protections against this exploit.

Affected Version(s)

kyverno < 1.15.3 < 1.15.3

kyverno >= 1.16.0, < 1.16.3 < 1.16.0, 1.16.3

References

https://github.com/kyverno/kyverno/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca3...
x_refsource_MISC
https://github.com/kyverno/kyverno/commit/eba60fa856c781b...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.