{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T05:05:09.077","vulnerabilities":[{"cve":{"id":"CVE-2026-22039","sourceIdentifier":"security-advisories@github.com","published":"2026-01-27T17:16:12.097","lastModified":"2026-02-02T15:13:57.440","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability."},{"lang":"es","value":"Kyverno es un motor de políticas diseñado para equipos de ingeniería de plataformas nativas de la nube. Las versiones anteriores a la 1.16.3 y 1.15.3 tienen un bypass crítico de límite de autorización en la llamada a la API de política de Kyverno con espacio de nombres. La 'urlPath' resuelta se ejecuta utilizando la ServiceAccount del controlador de admisión de Kyverno, sin que se aplique que la solicitud esté limitada al espacio de nombres de la política. Como resultado, cualquier usuario autenticado con permiso para crear una política con espacio de nombres puede hacer que Kyverno realice solicitudes a la API de Kubernetes utilizando la identidad del controlador de admisión de Kyverno, apuntando a cualquier ruta de API permitida por el RBAC de esa ServiceAccount. Esto rompe el aislamiento de espacios de nombres al permitir lecturas entre espacios de nombres (por ejemplo, ConfigMaps y, donde esté permitido, Secrets) y permite escrituras a nivel de clúster o entre espacios de nombres (por ejemplo, la creación de ClusterPolicies) controlando la 'urlPath' mediante la sustitución de variables de contexto. Las versiones 1.16.3 y 1.15.3 contienen un parche para la vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-269"},{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*","versionEndExcluding":"1.15.3","matchCriteriaId":"EC83E83A-2BA5-4A52-AF06-06E67CA03749"},{"vulnerable":true,"criteria":"cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*","versionStartIncluding":"1.16.0","versionEndExcluding":"1.16.3","matchCriteriaId":"AFFC15A4-197B-44FB-985A-BDDE22679655"}]}]}],"references":[{"url":"https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}