CVE-2026-22039 — Vulnetix

CVE-2026-22039 PUBLISHED

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

EPSS 0.05% · 16.5th percentile

Risk Scores

EPSS Score

0.05%

16.5th percentile

Affected Products

Vendor	Product	Versions
Bitnami	kyverno	0, 1.16.0
Bitnami	kyverno	0, 1.16.0

Timeline

Jan 27, 2026 CVE Published
Jan 27, 2026 PoC Published
Jan 27, 2026 PoC Published
Jan 28, 2026 EPSS Score
Jan 29, 2026 CVE Updated
Jan 30, 2026 EPSS Score
Jan 30, 2026 Security Advisory
Feb 1, 2026 EPSS Score
Feb 3, 2026 EPSS Score
Feb 5, 2026 EPSS Score
Feb 5, 2026 PoC Published
Feb 7, 2026 EPSS Score

References

Open in Interactive Console →