This vulnerability exists in the Kyverno Kubernetes policy engine, where the ConfigMap context loader fails to validate the input namespace field. A malicious namespace administrator can abuse this flaw to read ConfigMaps from any namespace in the cluster using Kyverno's privileged service account. This results in a complete RBAC bypass for multi-tenant Kubernetes clusters.
Remediation
Upgrade Kyverno to version 1.17.2 or later to apply the required fix. Until the upgrade is completed, restrict permissions for untrusted users to create policies that use Kyverno's ConfigMap context loading feature.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.