Platform
go
Component
github.com/kyverno/kyverno
Fixed in
1.15.4
1.16.1
1.15.3
1.15.3
CVE-2026-22039 represents a critical Privilege Escalation vulnerability discovered in Kyverno, a Kubernetes policy engine. This flaw allows attackers to bypass intended security controls and potentially escalate their privileges across multiple namespaces within a Kubernetes cluster. The vulnerability affects versions 1.15.0 through 1.15.2, and a patch is available in version 1.15.3.
The core of this vulnerability lies within the apiCall functionality within Kyverno policies. An attacker can craft malicious policies that leverage this flaw to bypass existing security restrictions. This could enable them to perform actions they are not authorized to do, such as modifying critical resources, deploying unauthorized applications, or even gaining control of the entire cluster. The cross-namespace aspect significantly expands the potential blast radius, allowing an attacker to compromise multiple environments within a single cluster. This vulnerability shares similarities with other policy engine bypasses where improper validation of API calls leads to privilege escalation.
This vulnerability was publicly disclosed on 2026-02-02. While no public proof-of-concept (PoC) has been released, the CRITICAL severity and the nature of the vulnerability suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring. Active campaigns targeting Kyverno are not currently confirmed, but given the ease of exploitation once a PoC is available, organizations should prioritize patching.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade Kyverno to version 1.15.3 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter network policies to limit inter-namespace communication. Review existing Kyverno policies for any use of apiCall and ensure proper validation and authorization checks are in place. While a WAF or proxy cannot directly address this vulnerability, they can be configured to monitor for suspicious API calls originating from within the cluster. After upgrading, confirm the fix by verifying that policies utilizing apiCall are functioning as expected and that unauthorized actions are still blocked.
Update Kyverno to version 1.16.3 or higher. This addresses the cross-namespace privilege escalation vulnerability. The update can be performed by applying the updated manifests or using the Kubernetes package manager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22039 is a CRITICAL vulnerability in Kyverno allowing attackers to bypass security controls and gain elevated privileges across namespaces. It affects versions 1.15.0 through 1.15.2.
If you are running Kyverno versions 1.15.0, 1.15.1, or 1.15.2, you are vulnerable. Upgrade to 1.15.3 or later to mitigate the risk.
Upgrade Kyverno to version 1.15.3 or later. If immediate upgrade is not possible, implement stricter network policies and review existing policies.
While no active exploitation has been confirmed, the CRITICAL severity and ease of potential exploitation suggest a high risk of future attacks.
Refer to the Kyverno project's official security advisories and release notes for detailed information and updates: [https://kyverno.io/](https://kyverno.io/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.