CVE-2026-22039

{"id": "CVE-2026-22039", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-22039", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T16:41:31.229138Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "kyverno", "product": "kyverno", "versions": [{"status": "affected", "version": "< 1.15.3"}, {"status": "affected", "version": ">= 1.16.0, < 1.16.3"}]}]}], "published": "2026-01-27T17:16:12.097", "references": [{"url": "https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy\u2019s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno\u2019s admission controller identity, targeting any API path allowed by that ServiceAccount\u2019s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability."}, {"lang": "es", "value": "Kyverno es un motor de pol\u00edticas dise\u00f1ado para equipos de ingenier\u00eda de plataformas nativas de la nube. Las versiones anteriores a la 1.16.3 y 1.15.3 tienen un bypass cr\u00edtico de l\u00edmite de autorizaci\u00f3n en la llamada a la API de pol\u00edtica de Kyverno con espacio de nombres. La 'urlPath' resuelta se ejecuta utilizando la ServiceAccount del controlador de admisi\u00f3n de Kyverno, sin que se aplique que la solicitud est\u00e9 limitada al espacio de nombres de la pol\u00edtica. Como resultado, cualquier usuario autenticado con permiso para crear una pol\u00edtica con espacio de nombres puede hacer que Kyverno realice solicitudes a la API de Kubernetes utilizando la identidad del controlador de admisi\u00f3n de Kyverno, apuntando a cualquier ruta de API permitida por el RBAC de esa ServiceAccount. Esto rompe el aislamiento de espacios de nombres al permitir lecturas entre espacios de nombres (por ejemplo, ConfigMaps y, donde est\u00e9 permitido, Secrets) y permite escrituras a nivel de cl\u00faster o entre espacios de nombres (por ejemplo, la creaci\u00f3n de ClusterPolicies) controlando la 'urlPath' mediante la sustituci\u00f3n de variables de contexto. Las versiones 1.16.3 y 1.15.3 contienen un parche para la vulnerabilidad."}], "lastModified": "2026-06-17T10:19:24.383", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC83E83A-2BA5-4A52-AF06-06E67CA03749", "versionEndExcluding": "1.15.3"}, {"criteria": "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AFFC15A4-197B-44FB-985A-BDDE22679655", "versionEndExcluding": "1.16.3", "versionStartIncluding": "1.16.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}