Listen to this Post
How the CVE works:
A Server-Side Request Forgery (SSRF) vulnerability in Kyverno allows authenticated users to induce the admission controller to send arbitrary HTTP requests to attacker-controlled endpoints. When a ClusterPolicy uses apiCall.service.url with variable substitution (e.g. {{request.object.}}), user-controlled input can influence the request target. The Kyverno admission controller executes these requests from its privileged network position without enforcing any validation or network restrictions. The issue becomes non-blind SSRF, as response data from internal services can be reflected back to the user via admission error messages. The vulnerability arises from missing protections: no URL validation, no IP filtering, unrestricted redirect handling, and response data reflection in admission errors. It is non-blind through two mechanisms: non-2xx responses return the body in admission errors, and 2xx responses with non-JSON content include response snippets in error output. A proof-of-concept involves creating a ClusterPolicy with a malicious apiCall.service.url and a Pod with a target annotation pointing to an internal service.
DailyCVE Form:
Platform: Kubernetes Kyverno
Version: 1.16.0 and later
Vulnerability : SSRF (Non-blind)
Severity: critical
date: 2026-04-14
Prediction: Unpatched (No fixed version)
What Undercode Say:
Bash commands and codes related to the blog
Check for vulnerable ClusterPolicies kubectl get clusterpolicies -o yaml | grep -B 5 -A 10 "apiCall.service.url" Attempt to exploit (requires a malicious ClusterPolicy) kubectl apply -f malicious-pod.yaml
Snippet of a vulnerable ClusterPolicy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: ssrf-vulnerable
spec:
rules:
- name: test-ssrf
match:
any:
- resources:
kinds:
- Pod
context:
- name: call
apiCall:
service:
url: "http://{{ request.object.metadata.annotations.target }}"
Exploit:
- Create a ClusterPolicy with an apiCall.service.url that uses variable substitution (e.g.,
http://{{ request.object.metadata.annotations.target }}). - Create a Pod with a malicious annotation pointing to an internal service (e.g.,
169.254.169.254/latest/meta-data/iam/security-credentials/). - Apply the Pod. The admission controller will make an HTTP request to the internal service.
- The response from the internal service is reflected in the admission error message, allowing data exfiltration.
Protection from this CVE:
- Avoid using user-controlled input in apiCall.service.url.
- Implement a network policy to restrict egress from the Kyverno admission controller.
- Monitor for suspicious apiCall patterns in ClusterPolicies.
- Apply any future patches from the Kyverno project once available.
Impact:
- Access to internal services (ClusterIP, localhost)
- Access to cloud metadata endpoints (e.g., AWS IMDS) leading to credential exposure
- Internal network reconnaissance
- Multi-tenant boundary weakening
- Potential for combining with other vulnerabilities to form a critical attack chain
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

