Kubernetes
CVE-2026-40868
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy).
namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage.
attacker model
the attacker can create or update a ClusterPolicy (or create a GlobalContextEntry) which uses context.apiCall.service.url and can choose the request URL and headers. a cross-boundary framing for real deployments is gitops: if the policy repo/controller is compromised, the ClusterPolicy/global context entry becomes untrusted input to kyverno.
relevant links
- repository: https://github.com/kyverno/kyverno
- commit: 17aeb52337fd66adb0c8126213ba076612a287a7
- callsite (token injection): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/executor.go#L150-L173
- namespaced policy gate (servicecall blocked): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/apiCall.go#L67-L83
root cause
in (*executor).addHTTPHeaders, kyverno reads the serviceaccount token from /var/run/secrets/kubernetes.io/serviceaccount/token and injects it when the outgoing request has no Authorization header:
if req.Header.Get("Authorization") == "" {
token := a.getToken()
if token != "" {
req.Header.Add("Authorization", "Bearer "+token)
}
}proof of concept
the attached poc.zip is a reproducible cluster PoC. it uses an in-cluster HTTP receiver which logs the Authorization header it receives. the PoC does not print token bytes; it only checks that the received header is non-empty and not equal to the negative control.
run (one command):
unzip poc.zip -d poc
cd poc
make testcanonical (expected: implicit token injection):
unzip poc.zip -d poc
cd poc
make canonicalexpected output includes:
[CALLSITE_HIT]: executor.addHTTPHeaders Authorization=="" -> read_serviceaccount_token=true
[PROOF_MARKER]: authorization_header_injected=true token_nonempty=truecontrol (expected: explicit Authorization header disables auto-injection):
unzip poc.zip -d poc
cd poc
make controlexpected output includes:
[CALLSITE_HIT]: executor.addHTTPHeaders Authorization!="" -> autoinject_skipped=true
[NC_MARKER]: authorization_header_injected=falseoptional: the canonical run may also print an [RBAC]: ... line using kubectl auth can-i with the exfiltrated token, to show concrete privileges without exposing the token.
impact
token exfiltration: the kyverno controller serviceaccount token is sent to a policy-controlled endpoint. impact depends on the rbac bound to that serviceaccount in the target deployment.
recommended fix
do not auto-inject the kyverno serviceaccount token into policy-controlled servicecall requests. require explicit Authorization configuration, or enforce a strict allowlist of destinations where credentials may be attached and document the behavior.
workarounds
- avoid using servicecall to arbitrary urls in policies.
- set an explicit Authorization header in servicecall policies to prevent implicit token injection.
oleh
AnalysisAI
Kyverno's apiCall service helper automatically injects the controller's ServiceAccount token into HTTP requests when ClusterPolicy or GlobalContextEntry authors omit an Authorization header, enabling token exfiltration to attacker-controlled endpoints via confused deputy vulnerability. Affects deployments where policy YAML repositories are compromised (GitOps threat model) or ClusterPolicy creation is possible. CVSS 8.1 (High) reflects network attack vector with low complexity and low privileges required. No CISA KEV listing or public exploit identified at time of analysis, but GitHub advisory includes working proof-of-concept demonstrating token injection and exfiltration.
Technical ContextAI
Kyverno is a Kubernetes policy engine that validates, mutates, and generates resources using declarative policies. The vulnerable component is the context.apiCall.service feature allowing policies to make HTTP requests to external services. The root cause (CWE-441: Unintended Proxy or Intermediary) lies in pkg/engine/apicall/executor.go where the addHTTPHeaders function reads the controller's ServiceAccount token from /var/run/secrets/kubernetes.io/serviceaccount/token and automatically injects it as an Authorization: Bearer header when no explicit Authorization header exists in the policy-defined request. Because ClusterPolicy and GlobalContextEntry allow authors to specify arbitrary service.url values, a malicious or compromised policy can redirect this authenticated request to an attacker-controlled endpoint. Namespaced policies are protected by a urlPath gate that blocks servicecall usage entirely, limiting the attack surface to cluster-scoped resources. The confused deputy pattern emerges because Kyverno acts as a privileged intermediary performing authenticated requests on behalf of policy definitions that should not inherit cluster-admin-level credentials.
RemediationAI
Consult the GitHub security advisory at https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp for vendor-released patched versions and upgrade instructions. Immediate workaround: audit all existing ClusterPolicy and GlobalContextEntry manifests for context.apiCall.service usage and ensure every servicecall explicitly sets an Authorization header (including empty string if authentication is not required), which disables the implicit token injection per the executor.addHTTPHeaders conditional logic. Compensating control with trade-offs: restrict ClusterPolicy and GlobalContextEntry creation via Kubernetes RBAC to only highly trusted principals, reducing the attack surface at the cost of limiting self-service policy workflows. For GitOps deployments, implement policy-as-code admission controls (e.g., OPA Gatekeeper on the policy repo or signed commit verification) to prevent untrusted policy modifications from reaching the cluster, adding CI/CD complexity but blocking the primary threat vector. Network-level mitigation: configure egress network policies to deny Kyverno controller pods from accessing non-essential external endpoints, though this may break legitimate servicecall integrations and requires per-environment tuning. Review and minimize RBAC grants to the Kyverno controller ServiceAccount to reduce blast radius of token exfiltration, recognizing this may limit Kyverno's policy enforcement capabilities depending on required cluster operations.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-q93q-v844-jrqp