Kyverno versions 1.16.0 and later expose an SSRF flaw through unrestricted Common Expression Language (CEL) HTTP functions. An attacker who can influence or inject a CEL expression may cause the Kyverno controller to issue arbitrary HTTP requests to any IP address reachable from the cluster. This can lead to data exfiltration, discovery of internal services, or further lateral movement. The core weakness is an unchecked HTTP call capability embedded in policy evaluation, enabling malicious payloads to force requests to privileged internal endpoints.

The vulnerability affects Kyverno, the Kubernetes policy engine. All releases from 1.16.0 onward are impacted until a fix that limits or disables the CEL HTTP function is applied. No specific sub‑versions are excluded; any installation running an affected version is at risk.

Official risk scoring is not available, but the nature of SSRF implies that confidentiality and availability risks could be significant, especially in environments with open internal services. The lack of an EPSS value does not preclude exploitation; attackers can craft a policy that triggers the vulnerable function. Because the vulnerability relies on an input that an attacker can control (policy or admission review), the attack requires knowledge of Kyverno deployment, but once present it can be exploited with minimal effort. The vulnerability is not listed in the KEV catalog at this time.