Platform
go
Component
github.com/kyverno/kyverno
Fixed in
1.16.1
1.17.2
1.17.0
CVE-2026-4789 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Kyverno, a Kubernetes-native policy engine. This flaw allows users with namespace-scoped policy creation permissions to initiate arbitrary HTTP requests through the Kyverno admission controller, potentially leading to unauthorized access and data exfiltration. The vulnerability impacts Kyverno versions 1.16.0 and later, with testing performed on version 1.16.2. A fix is available in version 1.17.0.
The SSRF vulnerability in Kyverno poses a significant risk because it allows attackers to bypass network segmentation and access internal resources. An attacker could leverage this to query cloud metadata endpoints (like 169.254.169.254) to obtain sensitive information such as AWS IAM credentials or Azure service principal keys. Furthermore, the attacker can use the policy error messages to exfiltrate data from the cluster. This could lead to complete compromise of the Kubernetes cluster and the applications running within it. The ability to make arbitrary HTTP requests from a privileged admission controller significantly expands the attack surface.
This vulnerability was publicly disclosed on April 14, 2026. There is no indication of active exploitation at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, but the vulnerability's nature makes it likely that exploits will emerge if the vulnerability remains unpatched in exposed environments.
Exploit Status
EPSS
0.02% (5% percentile)
CVSS Vector
The primary mitigation for CVE-2026-4789 is to upgrade Kyverno to version 1.17.0 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access from the Kyverno admission controller to only necessary services. Implement strict network policies to limit outbound traffic from Kyverno pods. Monitor Kyverno logs for unusual HTTP requests and policy errors. While a WAF might offer some protection, it's not a complete solution due to the nature of the SSRF vulnerability. After upgrading, verify the fix by attempting to trigger the SSRF vulnerability with a test policy and confirming that the request is blocked.
Update Kyverno to a version later than 1.16.0 to mitigate the SSRF vulnerability. This will prevent the unrestricted use of CEL HTTP functions and protect against potential SSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4789 is a HIGH severity Server-Side Request Forgery (SSRF) vulnerability affecting Kyverno versions 1.16.0 and later. It allows unauthorized access to internal services and cloud metadata.
You are affected if you are running Kyverno version 1.16.0 or later and have not upgraded to version 1.17.0 or a later version. Ensure your Kyverno CRDs are enabled, as this is the default configuration.
Upgrade Kyverno to version 1.17.0 or later. As a temporary workaround, restrict network access and implement strict network policies.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official Kyverno security advisory for detailed information and updates: [https://kyverno.io/security/advisories/kyverno-sa-001/](https://kyverno.io/security/advisories/kyverno-sa-001/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.