CVE-2026-41068
HIGHKyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
Title source: cnaDescription
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p
X_Refsource_Misc x_refsource_misc
https://github.com/kyverno/kyverno/commit/bbf3e5c01391d612968440659028ae98e565a777
Scores
CVSS v3
7.7
EPSS
0.0027
EPSS Percentile
18.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
kyverno/kyverno
< 1.17.2 (2 CPE variants)
kyverno/kyverno
0Go
Published
Apr 24, 2026
Tracked Since
Apr 24, 2026