CVE-2025-46342

HIGH

Kyverno <1.13.5-1.14.0 - Privilege Escalation

Title source: llm

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go`. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.

References (2)

[Exploit, Vendor Advisory] https://github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc

[Patch] https://github.com/kyverno/kyverno/commit/3ff923b7756e1681daf73849954bd88516589194

View Patch ZIP pw:eip

Scores

CVSS v3 8.5

EPSS 0.0032

EPSS Percentile 55.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1287

Status published

Products (2)

kyverno/kyverno < 1.11.5

kyverno/kyverno 0 - 1.13.5Go

Published Apr 30, 2025

Tracked Since Feb 18, 2026