216.73.217.86

CVE-2026-41068

· Published 24/04/2026 04:16 · Modified 24/04/2026 17:16

Labels: CVE-2026-41068 2026-04-24CVE-2026-41068CWE-863[email protected]

Essential information

Published
24/04/2026 04:16
Modified
24/04/2026 17:16
Author
Creator
CVSS
7.7 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS metrics

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
kyverno / kyverno cpe:2.3:a:kyverno:kyverno:1.17.2:*:*:*:*:*:*:*

References