Description
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.
Published: 2026-04-24
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: RBAC bypass via ConfigMap context loader allowing cross‑namespace reads
Action: Apply Patch
AI Analysis

Impact

Kyverno’s ConfigMap context loader accepts an arbitrary namespace value without validation, enabling a namespace admin to read ConfigMaps from any namespace using Kyverno’s privileged service account. This flaw constitutes a complete RBAC bypass in multi‑tenant Kubernetes clusters, allowing unintended disclosure of configuration data vulnerability mirrors the prior CVE-2026-22039 fix, and in the current version the patch is only incomplete.

Affected Systems

The Kyverno policy engine, any release prior to version 1.17.2, is affected. All other editions run natively on Kubernetes and employ the same ConfigMap context loader.

Risk and Exploitability

Evaluated with a CVSS score of 7.7, the EPSS score is below 1%, and the vulnerability is not listed in CISA KEV. The exploit requires a privileged Kyverno service account and sufficient access to specify a ConfigMap context. An attacker can target the ConfigMap context loader to retrieve configuration data from any namespace, potentially revealing secrets and enabling further privilege escalation. The risk is moderate but exploitability is low due to the need for Kubernetes RBAC privileges.

Generated by OpenCVE AI on April 28, 2026 at 06:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kyverno to version 1.17.2 or later, which includes a fix for the ConfigMap context loader validation.
  • Ensure that the Kyverno service account is granted only the minimal permissions required for policy evaluation.
  • If an immediate upgrade is not possible, isolate the Kyverno deployment so that its service account cannot read ConfigMaps in other namespaces, or explicitly deny the "configMap.namespace" input via Admission Webhooks or RBAC rules.

Generated by OpenCVE AI on April 28, 2026 at 06:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cvq5-hhx3-f99p Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
History

Mon, 27 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Kyverno
Kyverno kyverno
CPEs cpe:2.3:a:kyverno:kyverno:*:-:*:*:*:*:*:*
Vendors & Products Kyverno
Kyverno kyverno

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.
Title Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Kyverno Kyverno
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T16:22:26.972Z

Reserved: 2026-04-16T16:43:03.174Z

Link: CVE-2026-41068

cve-icon Vulnrichment

Updated: 2026-04-24T16:22:21.071Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T04:16:19.950

Modified: 2026-04-27T17:48:04.857

Link: CVE-2026-41068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:00:09Z

Weaknesses