Cross-Namespace Privilege Escalation Vulnerability in Kyverno by Nirmata
CVE-2026-41068

7.7HIGH

Key Information:

Vendor: Kyverno
Status: Kyverno
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41068?

Kyverno, a cloud-native policy engine, is susceptible to a serious vulnerability due to improper validation of the configMap.namespace field. This flaw allows a namespace admin to gain unauthorized access to ConfigMaps from any namespace when using Kyverno's privileged service account, leading to a complete Role-Based Access Control (RBAC) bypass. Multi-tenant Kubernetes clusters are particularly at risk, and users are encouraged to upgrade to version 1.17.2 or later to mitigate this issue. For detailed information, refer to the official advisory.

Affected Version(s)

kyverno < 1.17.2

References

https://github.com/kyverno/kyverno/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/kyverno/kyverno/commit/bbf3e5c01391d61...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41068 Data

JSON