Skip to main content

Suse CVE-2026-4789

| EUVDEUVD-2026-17241 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 21:22 euvd
EUVD-2026-17241
Analysis Generated
Mar 30, 2026 - 21:22 vuln.today
CVE Published
Mar 30, 2026 - 21:17 nvd
CRITICAL 9.8

DescriptionCVE.org

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

AnalysisAI

Kyverno versions 1.16.0 and later contain a server-side request forgery vulnerability in unrestricted CEL HTTP functions that allow attackers to make arbitrary HTTP requests from the Kyverno controller, potentially accessing internal services and metadata endpoints. The vulnerability affects Kubernetes clusters running vulnerable Kyverno versions with policies utilizing CEL-based HTTP operations, with no CVSS or EPSS data currently available to quantify severity.

Technical ContextAI

Kyverno is a Kubernetes-native policy engine that uses Common Expression Language (CEL) for policy evaluation. The vulnerability stems from insufficient input validation or authorization controls on CEL HTTP functions, which are likely implemented as part of Kyverno's policy validation framework. When policies evaluate untrusted input or user-controlled values through CEL HTTP operations, an attacker can craft policy expressions that cause the Kyverno controller to issue requests to arbitrary URLs, including internal Kubernetes API servers, cloud metadata services (AWS IMDSv1, GCP metadata), or other backend systems not intended for external access. This is a classic SSRF pattern where a trusted service (Kyverno running with elevated cluster permissions) becomes a pivot point for accessing restricted network resources.

RemediationAI

Upgrade Kyverno to a patched version released after the vulnerability disclosure; consult the official Kyverno GitHub releases and CERT advisory for the specific minimum fixed version. As an interim mitigation, restrict policy definitions to trusted authors only, disable or sandbox CEL HTTP functions if Kyverno configuration allows, implement network policies to limit outbound HTTP/HTTPS traffic from Kyverno controller pods to only necessary endpoints, and audit existing policies for suspicious HTTP operations. Additional guidance is available in the CERT advisory at https://kb.cert.org/vuls/id/655822.

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-4789 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy