प्लेटफ़ॉर्म
go
घटक
github.com/kyverno/kyverno
में ठीक किया गया
1.15.4
1.16.1
1.15.3
1.15.3
CVE-2026-22039 represents a critical Privilege Escalation vulnerability discovered in Kyverno, a Kubernetes policy engine. This flaw allows attackers to bypass intended security controls and potentially escalate their privileges across multiple namespaces within a Kubernetes cluster. The vulnerability affects versions 1.15.0 through 1.15.2, and a patch is available in version 1.15.3.
The core of this vulnerability lies within the apiCall functionality within Kyverno policies. An attacker can craft malicious policies that leverage this flaw to bypass existing security restrictions. This could enable them to perform actions they are not authorized to do, such as modifying critical resources, deploying unauthorized applications, or even gaining control of the entire cluster. The cross-namespace aspect significantly expands the potential blast radius, allowing an attacker to compromise multiple environments within a single cluster. This vulnerability shares similarities with other policy engine bypasses where improper validation of API calls leads to privilege escalation.
This vulnerability was publicly disclosed on 2026-02-02. While no public proof-of-concept (PoC) has been released, the CRITICAL severity and the nature of the vulnerability suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring. Active campaigns targeting Kyverno are not currently confirmed, but given the ease of exploitation once a PoC is available, organizations should prioritize patching.
Organizations heavily reliant on Kyverno for Kubernetes policy enforcement are at significant risk. This includes those using Kyverno to enforce strict security policies, manage access control, or automate deployments. Shared Kubernetes environments and those with complex policy configurations are particularly vulnerable.
• linux / server:
journalctl -u kyverno -f | grep -i "apiCall"• go / supply-chain:
Inspect Kyverno policy files for instances of apiCall with potentially insecure configurations. Look for policies that allow unrestricted access to Kubernetes API resources.
• generic web:
Monitor Kubernetes API audit logs for unusual patterns of API calls originating from Kyverno pods, particularly those involving resource modifications or privilege escalations.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (16% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to immediately upgrade Kyverno to version 1.15.3 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter network policies to limit inter-namespace communication. Review existing Kyverno policies for any use of apiCall and ensure proper validation and authorization checks are in place. While a WAF or proxy cannot directly address this vulnerability, they can be configured to monitor for suspicious API calls originating from within the cluster. After upgrading, confirm the fix by verifying that policies utilizing apiCall are functioning as expected and that unauthorized actions are still blocked.
Kyverno को संस्करण 1.16.3 या उच्चतर में अपडेट करें। यह क्रॉस-नेमस्पेस विशेषाधिकार वृद्धि भेद्यता को ठीक करता है। अपडेट को अपडेट किए गए manifests को लागू करके या Kubernetes पैकेज मैनेजर का उपयोग करके किया जा सकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-22039 is a CRITICAL vulnerability in Kyverno allowing attackers to bypass security controls and gain elevated privileges across namespaces. It affects versions 1.15.0 through 1.15.2.
If you are running Kyverno versions 1.15.0, 1.15.1, or 1.15.2, you are vulnerable. Upgrade to 1.15.3 or later to mitigate the risk.
Upgrade Kyverno to version 1.15.3 or later. If immediate upgrade is not possible, implement stricter network policies and review existing policies.
While no active exploitation has been confirmed, the CRITICAL severity and ease of potential exploitation suggest a high risk of future attacks.
Refer to the Kyverno project's official security advisories and release notes for detailed information and updates: [https://kyverno.io/](https://kyverno.io/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।