Skip to main content

Kyverno EUVDEUVD-2026-25382

| CVE-2026-41068 HIGH
Incorrect Authorization (CWE-863)
2026-04-24 GitHub_M GHSA-cvq5-hhx3-f99p
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 17:48 nvd
Patch available
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 05:01 EUVD
Analysis Generated
Apr 24, 2026 - 04:30 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 04:00 euvd
EUVD-2026-25382
Analysis Generated
Apr 24, 2026 - 04:00 vuln.today
CVE Published
Apr 24, 2026 - 03:14 nvd
HIGH 7.7

DescriptionGitHub Advisory

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability - the configMap.namespace field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.

AnalysisAI

Cross-namespace privilege escalation in Kyverno 1.17.x allows authenticated namespace administrators to bypass RBAC controls and read ConfigMaps from any Kubernetes namespace. The vulnerability exploits unvalidated configMap.namespace field in Kyverno's ConfigMap context loader, enabling attackers to leverage Kyverno's privileged service account permissions. This is a regression following incomplete fix for CVE-2026-22039, which addressed the same issue in apiCall context but missed the ConfigMap loader. Patch available in version 1.17.2. CVSS 7.7 with Changed Scope indicates significant multi-tenant cluster risk; EPSS data not available but the regression nature and RBAC bypass impact warrant immediate patching in multi-tenant environments.

Technical ContextAI

Kyverno is a Kubernetes-native policy engine that operates with elevated cluster privileges to enforce policies across namespaces. The vulnerability resides in Kyverno's ConfigMap context loader, which allows policy authors to reference external ConfigMaps as context data sources. The configMap.namespace parameter accepts arbitrary namespace values without validation against the requesting user's RBAC permissions. When a policy containing a ConfigMap context is evaluated, Kyverno's service account (which has cluster-wide read access) fetches the ConfigMap regardless of whether the policy author has permissions to that namespace. This violates the principle of least privilege and creates a confused deputy problem where Kyverno acts as a privilege escalation proxy. The root cause is CWE-863 (Incorrect Authorization), specifically missing authorization checks in the context loading phase. This mirrors CVE-2026-22039's URLPath validation issue but affects a different code path, indicating incomplete threat modeling during the original fix.

RemediationAI

Upgrade to Kyverno version 1.17.2 or later, as confirmed by vendor advisory GHSA-cvq5-hhx3-f99p and fix commit bbf3e5c01391d612968440659028ae98e565a777. For clusters unable to immediately upgrade, implement these compensating controls: First, audit all Kyverno policies for ConfigMap context usage with kubectl get clusterpolicies,policies --all-namespaces -o yaml | grep -A5 'configMap:' and review namespace references for cross-namespace access patterns. Second, restrict policy creation permissions to cluster administrators only by removing create/update verbs for Policy and ClusterPolicy resources from namespace-scoped RoleBindings (trade-off: reduces self-service policy management). Third, move sensitive ConfigMaps to a dedicated restricted namespace with network policies blocking pod access, relying on Kyverno's inability to enforce network-level isolation (trade-off: requires ConfigMap migration and application reconfiguration). Fourth, enable Kubernetes audit logging for ConfigMap read events from Kyverno's service account to detect exploitation attempts with audit.k8s.io/v1 rules (trade-off: increased log volume and analysis overhead). None of these workarounds fully mitigate the vulnerability; upgrade remains the only complete remediation. Vendor advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-25382 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy