Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
AnalysisAI
Kyverno versions 1.16.0 and later contain a server-side request forgery vulnerability in unrestricted CEL HTTP functions that allow attackers to make arbitrary HTTP requests from the Kyverno controller, potentially accessing internal services and metadata endpoints. The vulnerability affects Kubernetes clusters running vulnerable Kyverno versions with policies utilizing CEL-based HTTP operations, with no CVSS or EPSS data currently available to quantify severity.
Technical ContextAI
Kyverno is a Kubernetes-native policy engine that uses Common Expression Language (CEL) for policy evaluation. The vulnerability stems from insufficient input validation or authorization controls on CEL HTTP functions, which are likely implemented as part of Kyverno's policy validation framework. When policies evaluate untrusted input or user-controlled values through CEL HTTP operations, an attacker can craft policy expressions that cause the Kyverno controller to issue requests to arbitrary URLs, including internal Kubernetes API servers, cloud metadata services (AWS IMDSv1, GCP metadata), or other backend systems not intended for external access. This is a classic SSRF pattern where a trusted service (Kyverno running with elevated cluster permissions) becomes a pivot point for accessing restricted network resources.
RemediationAI
Upgrade Kyverno to a patched version released after the vulnerability disclosure; consult the official Kyverno GitHub releases and CERT advisory for the specific minimum fixed version. As an interim mitigation, restrict policy definitions to trusted authors only, disable or sandbox CEL HTTP functions if Kyverno configuration allows, implement network policies to limit outbound HTTP/HTTPS traffic from Kyverno controller pods to only necessary endpoints, and audit existing policies for suspicious HTTP operations. Additional guidance is available in the CERT advisory at https://kb.cert.org/vuls/id/655822.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17241
GHSA-qqrv-2hch-83q4