Kyverno, Authorization Bypass, CVE-2025-XXXX (Critical)

Listen to this Post

The vulnerability exploits Kyverno’s apiCall context variable substitution. When a namespaced Policy is evaluated, user-controlled variables are inserted into the `urlPath` field of an apiCall context entry. Kyverno’s admission controller service account then executes this raw, resolved path against the Kubernetes API server using the `RawAbsPath` method. No validation ensures the final path is constrained to the policy’s namespace. An attacker with permissions to create a namespaced Policy can craft a `urlPath` pointing to cluster-scoped resources (e.g., /apis/kyverno.io/v1/clusterpolicies) or resources in other namespaces (e.g., /api/v1/namespaces/kube-system/configmaps). This allows them to perform reads and writes with the high-privileged Kyverno service account identity, breaching namespace isolation and enabling privilege escalation.
Platform: Kyverno
Version: v1.16.1
Vulnerability : Authorization Bypass
Severity: Critical
date: 2025-XX-XX

Prediction: 2025-XX-XX

What Undercode Say:

kubectl create configmap target-cm -n kube-system --from-literal=key=confidential-data
kubectl create role policy-admin-role -n default --verb=create,get,list,update,delete --resource=policies.kyverno.io,configmaps
kubectl apply --as=system:serviceaccount:default:policy-admin -f -
kubectl auth can-i --as=system:serviceaccount:kyverno:kyverno-admission-controller --list

How Exploit:

Create namespaced Policy.

Inject malicious urlPath.

Trigger via resource creation.

Exfiltrate data via denial message.

Create cluster-scoped resources.

Protection from this CVE

Patch to v1.16.2+.

Implement path validation.

Enforce namespace scope.

Restrict Kyverno RBAC.

Monitor Policy creation.

Impact:

Privilege Escalation

Namespace Isolation Break

Data Exfiltration

Cluster-Wide Disruption

Unauthorized Writes

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top