Description
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy). Namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage. This vulnerability is fixed in 1.16.4.
Published: 2026-04-21
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Token Leakage
Action: Immediate Patch
AI Analysis

Impact

Kyverno’s apiCall servicecall helper automatically adds an Authorization: Bearer header when a policy omits an explicit header, using the Kyverno controller’s service account token. Because the endpoint URL is supplied by policy, an attacker who can create a ClusterPolicy that points to a malicious endpoint can cause Kyverno to send its privileged token over the network. This leads to uncontrolled token disclosure, allowing the attacker to impersonate Kyverno and potentially gain full cluster access. The vulnerability is a token‑to‑service leakage (CWE‑922).

Affected Systems

The defect resides in the community edition of Kyverno, the policy engine for Kubernetes. Versions before 1.16.4 are affected. The flaw only impacts policies of type ClusterPolicy or global‑context, as namespaced policies are blocked by an internal URL gate.

Risk and Exploitability

The CVSS score of 8.1 signals high severity. No EPSS data is available and the vulnerability is not listed in CISA KEV. Exploitation requires the ability to create or modify a ClusterPolicy, a privilege usually restricted to cluster administrators. Attacks would involve crafting a malicious servicecall policy that directs Kyverno to an attacker‑controlled endpoint, causing the service account token to be sent outbound. The risk is significant for environments with loose RBAC or poor network segmentation.

Generated by OpenCVE AI on April 22, 2026 at 05:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Kyverno 1.16.4 or later, which removes the implicit bearer token injection.
  • Restrict the creation of ClusterPolicy objects to trusted administrators and enforce policy reviews to ensure only trusted endpoints are used.
  • Apply network controls that limit the Kyverno controller’s outbound traffic to internal services only, preventing accidental exposure of the service account token to external hosts.

Generated by OpenCVE AI on April 22, 2026 at 05:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q93q-v844-jrqp kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Kyverno
Kyverno kyverno
Vendors & Products Kyverno
Kyverno kyverno

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy). Namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage. This vulnerability is fixed in 1.16.4.
Title kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
Weaknesses CWE-922
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Kyverno Kyverno
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:35:50.296Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40868

cve-icon Vulnrichment

Updated: 2026-04-22T13:35:15.883Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T19:16:18.420

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-40868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses