Kyverno versions before 1.16.4, 1.17.2-rc1, 1.18.0-rc1
Summary
Kyverno is a cloud native policy engine for Kubernetes. This flaw allows attackers to steal the admission controller ServiceAccount token via an unvalidated service URL in ClusterPolicy's apiCall feature. A stolen token leads to full Kubernetes cluster compromise. The vulnerability is patched in recent maintained versions of Kyverno.
Remediation
Upgrade Kyverno to patched versions 1.16.4, 1.17.2-rc1, or 1.18.0-rc1 immediately. Restrict permissions for users that can create ClusterPolicy resources as a temporary mitigation. Audit existing policies for unauthorized configurations after patching.
Exploit info
This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.