Skip to main content

Kubewarden Policy Engine CVE-2026-42541

MEDIUM
Missing Authorization (CWE-862)
2026-05-05 https://github.com/kubewarden/kubewarden-controller GHSA-wqcw-g35j-j578
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 22:30 vuln.today
Analysis Generated
May 05, 2026 - 22:30 vuln.today

DescriptionGitHub Advisory

Impact

Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner, without privilege escalation.

An attacker with privileged AdmissionPolicy or AdmissionPolicyGroup create permissions (which isn't the default) can craft a policy that makes use of the can_i host callback. The callback issues a SubjectAccessReview (SAR) requests to enumerate RBAC permissions of any user or service account across the cluster. Three operations on the host capabilities kubewarden/kubernetes binding enforce the context-aware allow-list via can_access_kubernetes_resource():

  • list_resources_by_namespace
  • list_resources_all
  • get_resource

However, can_i does not perform that check and forwards the request directly to the callback handler, which executes a real SubjectAccessReview using policy-server privileges. This creates a policy-level authorization gap: can_i is effectively usable even when the policy has no context-aware resource grant.

This is an information disclosure / reconnaissance issue, and not direct workload data exfiltration. The attacker learns permission information, such as whether specific service accounts can "get secrets", "create pods", or "bind clusterroles" in chosen namespaces.

Patches

Cluster Operators, if providing their users with privileges to deploy AdmissionPolicies or AdmissionPolicygroups (which isn't the default), must then also deploy PolicyServers with reduced permissions for host capability calls. This includes the PolicyServer default. For that, make use of the new feature in v1.35:

  • For custom PolicyServers: Set the new PolicyServer.spec.namespacedPoliciesCapabilities , for example to an empty list [] which doesn't allow any capability.
  • For the default PolicyServer, set the .Values.policyServer.namespacedPoliciesCapabilities , for example to an empty list [] which doesn't allow any capability.

Also, if needed, they must ensure that those namespaced AdmissionPolicies or AdmissionPolicygroups are scheduled in the PolicyServers with reduced permissions. For that, they could make use of the new ns-policyserver-mapper policy, their own policy or other means, such as GitOps.

See: https://docs.kubewarden.io/howtos/policy-servers/namespaced-policies-capabilities

Workarounds

Cluster Operators can opt for:

  • Not allowing users to create namespaced policies (AdmissionPolicies, AdmissionPolicyGroups).
  • Removing SubjectAccessReview "create" permissions for the PolicyServer ServiceAccount RBAC being used, in custom PolicyServers and the PolicyServer default.

Resources

  • Code changes, with new security feature: https://github.com/kubewarden/kubewarden-controller/pull/1693
  • Documentation changes: https://github.com/kubewarden/docs/pull/737
  • Explained new feature on 1.35.0
  • Updated Threat model assessment

AnalysisAI

Kubewarden versions before 1.35.0 permit RBAC reconnaissance attacks when users with AdmissionPolicy or AdmissionPolicyGroup creation privileges craft policies using the unchecked can_i host capability. The vulnerability allows enumeration of any user or service account permissions across the cluster via SubjectAccessReview requests executed with policy-server privileges, despite the absence of context-aware resource grants. This information disclosure enables attackers to discover sensitive permission configurations without requiring cluster-wide policy creation rights, a capability not available by default but exploitable when granted.

Technical ContextAI

Kubewarden is a Kubernetes policy engine that permits namespace-scoped AdmissionPolicy and AdmissionPolicyGroup resources to be deployed by unprivileged users. The engine enforces authorization checks on three host capability operations-list_resources_by_namespace, list_resources_all, and get_resource-through a can_access_kubernetes_resource() context-aware allow-list mechanism. However, the can_i host capability for SubjectAccessReview queries bypasses this authorization gate, directly forwarding requests to the policy-server callback handler which executes as the PolicyServer ServiceAccount. This allows a malicious namespaced policy to invoke Kubernetes SubjectAccessReview (SAR) operations with the policy-server's RBAC privileges, querying permissions for arbitrary subjects. The root cause is CWE-862 (Missing Authorization), where the can_i operation lacks the same context-aware enforcement applied to resource access operations. The affected component is the kubewarden-controller, distributed as pkg:go/github.com/kubewarden/kubewarden-controller.

RemediationAI

Vendor-released patch: Upgrade to Kubewarden v1.35.0 or later. Additionally, cluster operators must implement host capability restrictions on PolicyServers to enforce the new security model. For custom PolicyServers, add spec.namespacedPoliciesCapabilities: [] (empty list) to deny all host capabilities to namespaced policies, or specify a whitelist of permitted capabilities (e.g., ["oci/v1/verify", "net/v1/dns_lookup_host"]). For the default PolicyServer, set .Values.policyServer.namespacedPoliciesCapabilities: [] via Helm values. If namespaced policies legitimately require certain host capabilities, apply the new ns-policyserver-mapper policy or GitOps-based scheduling to route namespaced policies to PolicyServers with appropriate capability grants, keeping capability-restricted PolicyServers isolated from policies that need them. Alternatively, as a pre-patch workaround, cluster operators can remove SubjectAccessReview 'create' permissions from the PolicyServer ServiceAccount RBAC in both custom and default PolicyServers; this blocks SAR execution but does not address the authorization gap in the code. For deployments where policy creation cannot yet be restricted, the workaround reduces exposure from unbounded RBAC enumeration to only the specific subset of subjects the PolicyServer can query via its own RBAC. See patch references: https://github.com/kubewarden/kubewarden-controller/pull/1693 (code fix with capability enforcement logic) and https://github.com/kubewarden/docs/pull/737 (configuration guidance). Documentation: https://docs.kubewarden.io/howtos/policy-servers/namespaced-policies-capabilities

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-42541 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy