Skip to main content

Kubernetes CVE-2026-40868

HIGH
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-04-14 https://github.com/kyverno/kyverno GHSA-q93q-v844-jrqp
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 21, 2026 - 19:22 vuln.today
cvss_changed
Patch released
Apr 16, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 16, 2026 - 00:21 vuln.today
Analysis Generated
Apr 15, 2026 - 21:15 vuln.today
CVE Published
Apr 14, 2026 - 20:09 nvd
HIGH 8.1

DescriptionGitHub Advisory

kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy).

namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage.

attacker model

the attacker can create or update a ClusterPolicy (or create a GlobalContextEntry) which uses context.apiCall.service.url and can choose the request URL and headers. a cross-boundary framing for real deployments is gitops: if the policy repo/controller is compromised, the ClusterPolicy/global context entry becomes untrusted input to kyverno.

relevant links

  • repository: https://github.com/kyverno/kyverno
  • commit: 17aeb52337fd66adb0c8126213ba076612a287a7
  • callsite (token injection): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/executor.go#L150-L173
  • namespaced policy gate (servicecall blocked): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/apiCall.go#L67-L83

root cause

in (*executor).addHTTPHeaders, kyverno reads the serviceaccount token from /var/run/secrets/kubernetes.io/serviceaccount/token and injects it when the outgoing request has no Authorization header:

go
if req.Header.Get("Authorization") == "" {
  token := a.getToken()
  if token != "" {
    req.Header.Add("Authorization", "Bearer "+token)
  }
}

proof of concept

the attached poc.zip is a reproducible cluster PoC. it uses an in-cluster HTTP receiver which logs the Authorization header it receives. the PoC does not print token bytes; it only checks that the received header is non-empty and not equal to the negative control.

run (one command):

bash
unzip poc.zip -d poc
cd poc
make test

canonical (expected: implicit token injection):

bash
unzip poc.zip -d poc
cd poc
make canonical

expected output includes:

[CALLSITE_HIT]: executor.addHTTPHeaders Authorization=="" -> read_serviceaccount_token=true
[PROOF_MARKER]: authorization_header_injected=true token_nonempty=true

control (expected: explicit Authorization header disables auto-injection):

bash
unzip poc.zip -d poc
cd poc
make control

expected output includes:

[CALLSITE_HIT]: executor.addHTTPHeaders Authorization!="" -> autoinject_skipped=true
[NC_MARKER]: authorization_header_injected=false

optional: the canonical run may also print an [RBAC]: ... line using kubectl auth can-i with the exfiltrated token, to show concrete privileges without exposing the token.

impact

token exfiltration: the kyverno controller serviceaccount token is sent to a policy-controlled endpoint. impact depends on the rbac bound to that serviceaccount in the target deployment.

recommended fix

do not auto-inject the kyverno serviceaccount token into policy-controlled servicecall requests. require explicit Authorization configuration, or enforce a strict allowlist of destinations where credentials may be attached and document the behavior.

workarounds

  • avoid using servicecall to arbitrary urls in policies.
  • set an explicit Authorization header in servicecall policies to prevent implicit token injection.

poc.zip PR_DESCRIPTION.md

oleh

AnalysisAI

Kyverno's apiCall service helper automatically injects the controller's ServiceAccount token into HTTP requests when ClusterPolicy or GlobalContextEntry authors omit an Authorization header, enabling token exfiltration to attacker-controlled endpoints via confused deputy vulnerability. Affects deployments where policy YAML repositories are compromised (GitOps threat model) or ClusterPolicy creation is possible. CVSS 8.1 (High) reflects network attack vector with low complexity and low privileges required. No CISA KEV listing or public exploit identified at time of analysis, but GitHub advisory includes working proof-of-concept demonstrating token injection and exfiltration.

Technical ContextAI

Kyverno is a Kubernetes policy engine that validates, mutates, and generates resources using declarative policies. The vulnerable component is the context.apiCall.service feature allowing policies to make HTTP requests to external services. The root cause (CWE-441: Unintended Proxy or Intermediary) lies in pkg/engine/apicall/executor.go where the addHTTPHeaders function reads the controller's ServiceAccount token from /var/run/secrets/kubernetes.io/serviceaccount/token and automatically injects it as an Authorization: Bearer header when no explicit Authorization header exists in the policy-defined request. Because ClusterPolicy and GlobalContextEntry allow authors to specify arbitrary service.url values, a malicious or compromised policy can redirect this authenticated request to an attacker-controlled endpoint. Namespaced policies are protected by a urlPath gate that blocks servicecall usage entirely, limiting the attack surface to cluster-scoped resources. The confused deputy pattern emerges because Kyverno acts as a privileged intermediary performing authenticated requests on behalf of policy definitions that should not inherit cluster-admin-level credentials.

RemediationAI

Consult the GitHub security advisory at https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp for vendor-released patched versions and upgrade instructions. Immediate workaround: audit all existing ClusterPolicy and GlobalContextEntry manifests for context.apiCall.service usage and ensure every servicecall explicitly sets an Authorization header (including empty string if authentication is not required), which disables the implicit token injection per the executor.addHTTPHeaders conditional logic. Compensating control with trade-offs: restrict ClusterPolicy and GlobalContextEntry creation via Kubernetes RBAC to only highly trusted principals, reducing the attack surface at the cost of limiting self-service policy workflows. For GitOps deployments, implement policy-as-code admission controls (e.g., OPA Gatekeeper on the policy repo or signed commit verification) to prevent untrusted policy modifications from reaching the cluster, adding CI/CD complexity but blocking the primary threat vector. Network-level mitigation: configure egress network policies to deny Kyverno controller pods from accessing non-essential external endpoints, though this may break legitimate servicecall integrations and requires per-environment tuning. Review and minimize RBAC grants to the Kyverno controller ServiceAccount to reduce blast radius of token exfiltration, recognizing this may limit Kyverno's policy enforcement capabilities depending on required cluster operations.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-40868 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy