CVE-2026-22039
Published:January 27, 2026
Updated:April 20, 2026
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved "urlPath" is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
Affected Packages
https://github.com/kyverno/kyverno.git (GITHUB):
Affected version(s) >=v1.16.0-rc.1 <v1.16.2Fix Suggestion:
Update to version v1.16.2https://github.com/kyverno/kyverno.git (GITHUB):
Affected version(s) >=v0.1.0 <v1.15.3Fix Suggestion:
Update to version v1.15.3github.com/kyverno/kyverno (GO):
Affected version(s) >=v1.16.0-rc.1 <v1.16.3Fix Suggestion:
Update to version v1.16.3Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9.9
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
EPSS
Base Score:
0.06
