VDB

CVE-2026-22039

CVE-2026-22039 PUBLISHED

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

EPSS 0.03% · 7.9th percentile

Risk Scores

EPSS Score
0.03%
7.9th percentile

Affected Products

VendorProductVersions
Bitnamikyverno1.16.0, 0
Bitnamikyverno0, 1.16.0

Exploit Intelligence

…and 18 more exploits

Timeline

  • Jan 27, 2026 CVE Published
  • Jan 27, 2026 PoC Published
  • Jan 27, 2026 PoC Published
  • Jan 28, 2026 EPSS Score
  • Jan 29, 2026 CVE Updated
  • Jan 30, 2026 EPSS Score
  • Jan 30, 2026 Security Advisory
  • Feb 2, 2026 EPSS Score
  • Feb 4, 2026 EPSS Score
  • Feb 5, 2026 PoC Published
  • Feb 7, 2026 EPSS Score
  • Feb 9, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›