Description
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
Published: 2026-03-30
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

Kyverno and its associated policies are exposed to a Server Side Request Forgery (SSRF) flaw caused by unrestricted CEL HTTP functions. The vulnerability allows an attacker to instruct Kyverno to issue HTTP requests to arbitrary hosts from within the cluster, potentially accessing internal resources or sensitive information. The weakness is categorized as CWE‑918.

Affected Systems

All Kyverno deployments running version 1.16.0 or newer are affected. The issue exists in any installation that includes the relevant CEL HTTP function code and does not have a patch that mitigates the flaw.

Risk and Exploitability

The severity rating of 9.8 places the flaw in the critical range. The EPSS score indicates that exploitation attempts are currently rare, and the vulnerability is not present in the CISA KEV catalog. Based on the description, the likely attack vector is when an attacker can submit or modify policy rules that invoke the CEL HTTP function, though the specific prerequisites are not disclosed in the CVE data.

Generated by OpenCVE AI on April 3, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kyverno to the latest release that fixes the SSRF vulnerability.
  • Restrict inbound access to the Kyverno API so only trusted users or service accounts can submit policies.
  • Apply network segmentation or firewall rules to prevent Kyverno pods from making outbound HTTP requests to internal networks.
  • If immediate upgrade is not possible, disable or limit CEL HTTP functions within Kyverno’s configuration.
  • Monitor Kyverno logs for unexpected outbound HTTP requests.

Generated by OpenCVE AI on April 3, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qqrv-2hch-83q4 Kyverno is vulnerable to server-side request forgery (SSRF)
Github GHSA Github GHSA GHSA-rggm-jjmc-3394 Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access
History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Kyverno
Kyverno kyverno
Weaknesses CWE-918
Vendors & Products Kyverno
Kyverno kyverno

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
Title CVE-2026-4789
References

Subscriptions

Kyverno Kyverno
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-01T18:43:50.952Z

Reserved: 2026-03-24T20:03:13.388Z

Link: CVE-2026-4789

cve-icon Vulnrichment

Updated: 2026-03-30T21:18:08.577Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T21:17:10.843

Modified: 2026-04-03T18:17:51.837

Link: CVE-2026-4789

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:29Z

Weaknesses