Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation - it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue.
AnalysisAI
Kyverno's apiCall feature automatically attaches the admission controller's ServiceAccount token to HTTP requests without validating the destination URL, enabling authenticated attackers to exfiltrate tokens to attacker-controlled servers and achieve full cluster compromise through webhook configuration tampering. Affects Kyverno versions prior to 1.18.0-rc1, 1.17.2-rc1, and 1.16.4. Vendor-released patches available across all three affected version branches. EPSS data not provided, but the vulnerability enables privilege escalation from low-privilege Kubernetes user to cluster admin via token theft, representing critical risk in multi-tenant environments.
Technical ContextAI
Kyverno is a Kubernetes policy engine that uses admission webhooks to enforce policies. The vulnerable apiCall feature allows ClusterPolicy resources to make external HTTP calls during policy evaluation. The flaw (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) lies in the automatic attachment of the admission controller's ServiceAccount token to these HTTP requests combined with complete absence of URL validation. In Kubernetes RBAC architecture, the admission controller ServiceAccount requires elevated privileges including the ability to patch MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources to manage its own webhook endpoints. By directing apiCall to an attacker-controlled HTTPS endpoint, the ServiceAccount bearer token is leaked in the Authorization header, which can then be replayed to the Kubernetes API server with full admission controller privileges.
RemediationAI
Upgrade Kyverno to patched versions: 1.18.0-rc1 or later for 1.18.x deployments, 1.17.2-rc1 or later for 1.17.x deployments, or 1.16.4 or later for 1.16.x deployments. Patches implement URL validation and restrict ServiceAccount token attachment in apiCall features per commits bc4f91c, c2eab00, and f70e8ac. If immediate patching is not feasible, implement compensating controls by restricting ClusterPolicy create/update RBAC permissions to only highly trusted administrators (reducing attack surface to PR:H effectively), deploying network policies to block egress from the kyverno admission controller pods to external networks (prevents token exfiltration but may break legitimate apiCall use cases requiring external connectivity), and enabling comprehensive audit logging for ClusterPolicy modifications and admission controller network connections to detect exploitation attempts. Review existing ClusterPolicy resources for unexpected apiCall directives pointing to non-organizational domains. Note that egress blocking will disable all external apiCall functionality, potentially breaking legitimate policy workflows. Full remediation details at https://github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25389
GHSA-f9g8-6ppc-pqq4