Kyverno API Call Vulnerability Exposes Kubernetes Clusters
The National Vulnerability Database has detailed CVE-2026-41323, a critical vulnerability in Kyverno, the Kubernetes policy engine. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno’s apiCall feature in ClusterPolicy automatically appended the admission controller’s ServiceAccount token to outgoing HTTP requests. The critical flaw lies in the lack of validation for the service URL, which could be directed to arbitrary, including attacker-controlled, servers.
This oversight means that an attacker could exfiltrate the admission controller’s ServiceAccount token. Given that this ServiceAccount typically possesses permissions to patch webhook configurations, a stolen token provides a direct pathway to full cluster compromise. The National Vulnerability Database assigns this a CVSS score of 8.1 (HIGH), underscoring the severe implications for confidentiality and integrity. The vulnerability is tracked as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-918 (Server-Side Request Forgery).
Defenders need to understand the attacker’s calculus here: exfiltrating a privileged ServiceAccount token is a high-value target for lateral movement and privilege escalation. This isn’t theoretical; it’s a clear path to taking over a cluster. Patching is non-negotiable. Organizations running affected Kyverno versions must upgrade immediately to mitigate this severe risk.
What This Means For You
- If your organization uses Kyverno, you need to verify your version immediately. Check if you are running any version prior to 1.18.0-rc1, 1.17.2-rc1, or 1.16.4. Patching to the latest secure versions is critical to prevent ServiceAccount token exfiltration and potential full cluster compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41323: Kyverno apiCall Outbound HTTP Request to Malicious Server
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41323 | Privilege Escalation | Kyverno apiCall feature automatically attaches ServiceAccount token to outgoing HTTP requests |
| CVE-2026-41323 | Information Disclosure | Kyverno versions prior to 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 |
| CVE-2026-41323 | Auth Bypass | Kyverno apiCall service URL has no validation, allowing attacker-controlled servers |
| CVE-2026-41323 | RCE | Stolen admission controller ServiceAccount token leads to full cluster compromise |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-6810 — The Booking Calendar Contact Form plugin for WordPress is
CVE-2026-6810 — The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63...
CVE-2026-5428 — Cross-Site Scripting (XSS)
CVE-2026-5428 — The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions...
WordPress Plugin Flaw Exposes Sites to RCE
CVE-2026-5364 — The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to,...