Vulnerability in Kyverno Policy Engine Exposes Cluster Security
CVE-2026-41323

8.1HIGH

Key Information:

Vendor

Kyverno

Status
Kyverno
Vendor
CVE Published:
24 April 2026

What is CVE-2026-41323?

The Kyverno policy engine has a vulnerability in its apiCall feature that automatically sends the admission controller's ServiceAccount token with outgoing HTTP requests. This occurs without any validation on the service URL, allowing it to direct requests to potentially malicious servers. If an attacker can intercept this token, they gain unauthorized access and permissions to manipulate webhook configurations, which leads to the risk of full cluster compromise. Users are encouraged to upgrade to versions 1.18.0-rc1, 1.17.2-rc1, or 1.16.4 to mitigate this risk.

Affected Version(s)

kyverno < 1.16.4 < 1.16.4

kyverno >= 1.17.0-rc1, < 1.17.2-rc1 < 1.17.0-rc1, 1.17.2-rc1

References

https://github.com/kyverno/kyverno/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/kyverno/kyverno/commit/bc4f91c4801b1ea...
x_refsource_MISC
https://github.com/kyverno/kyverno/commit/c2eab00033e635b...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.