Plattform
go
Komponente
github.com/kyverno/kyverno
Behoben in
1.15.4
1.16.1
1.15.3
1.15.3
CVE-2026-22039 represents a critical Privilege Escalation vulnerability discovered in Kyverno, a Kubernetes policy engine. This flaw allows attackers to bypass intended security controls and potentially escalate their privileges across multiple namespaces within a Kubernetes cluster. The vulnerability affects versions 1.15.0 through 1.15.2, and a patch is available in version 1.15.3.
The core of the vulnerability lies within the apiCall policy feature in Kyverno. An attacker can craft a malicious policy that, when applied, grants them elevated permissions beyond their intended scope. This can manifest as the ability to read, modify, or delete resources in namespaces they should not have access to. The impact is significant, potentially allowing an attacker to compromise the entire Kubernetes cluster if they can successfully exploit this vulnerability and gain control of a privileged account. This is particularly concerning in multi-tenant environments where namespaces isolate different applications or teams.
This vulnerability was publicly disclosed on 2026-02-02. Currently, there are no publicly available proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog as of this writing. Given the critical severity and potential for widespread impact, organizations should prioritize patching.
Organizations heavily reliant on Kyverno for Kubernetes policy enforcement are at significant risk. This includes those using Kyverno to enforce strict security policies, manage access control, or automate deployments. Shared Kubernetes environments and those with complex policy configurations are particularly vulnerable.
• linux / server:
journalctl -u kyverno -f | grep -i "apiCall"• go / supply-chain:
Inspect Kyverno policy files for instances of apiCall with potentially insecure configurations. Look for policies that allow unrestricted access to Kubernetes API resources.
• generic web:
Monitor Kubernetes API audit logs for unusual patterns of API calls originating from Kyverno pods, particularly those involving resource modifications or privilege escalations.
disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade Kyverno to version 1.15.3 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider temporarily restricting the use of apiCall policies, especially those with broad scopes. Review existing apiCall policies to identify any that might be susceptible to exploitation. Monitor Kyverno logs for any unusual activity related to policy evaluation or resource access. While a WAF cannot directly prevent this vulnerability, it can help detect and block malicious requests attempting to exploit it.
Aktualisieren Sie Kyverno auf Version 1.16.3 oder höher. Dies behebt die Cross-Namespace-Privilege-Escalation-Schwachstelle. Das Update kann durch Anwenden der aktualisierten Manifeste oder mithilfe des Kubernetes Package Managers durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-22039 is a CRITICAL vulnerability in Kyverno allowing attackers to bypass security controls and gain elevated privileges across namespaces. It affects versions 1.15.0 through 1.15.2.
If you are running Kyverno versions 1.15.0, 1.15.1, or 1.15.2, you are vulnerable. Upgrade to 1.15.3 or later to mitigate the risk.
Upgrade Kyverno to version 1.15.3 or later. If immediate upgrade is not possible, implement stricter network policies and review existing policies.
While no active exploitation has been confirmed, the CRITICAL severity and ease of potential exploitation suggest a high risk of future attacks.
Refer to the Kyverno project's official security advisories and release notes for detailed information and updates: [https://kyverno.io/](https://kyverno.io/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.