CVE-2026-22039 is a critical vulnerability in Kyverno, a policy engine designed for cloud-native platform engineering teams. The vulnerability exists in versions prior to 1.16.3 and 1.15.3, where an authorization boundary bypass in namespaced Kyverno Policy apiCall has been identified. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement to limit the request to the policy’s namespace.
As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity. This flaw allows targeting any API path permitted by that ServiceAccount’s RBAC, effectively breaking namespace isolation.
The risk to organizations includes the potential for cross-namespace reads, such as accessing ConfigMaps and Secrets, and allows for cluster-scoped writes, including the creation of ClusterPolicies. Given the critical nature of this vulnerability and its potential impact, organizations using Kyverno are urged to prioritize patching immediately.
Versions 1.16.3 and 1.15.3 have been patched to address this vulnerability.
Organizations should ensure they are running these updated versions to maintain security and prevent unauthorized access to their Kubernetes environments.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)