Kyverno patches ServiceAccount token leak via apiCall

1 min readPublished 24 Apr 2026Updated 24 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-41323 News Kubernetes Cloud Identity

TL;DR — Kyverno’s ClusterPolicy apiCall can send the admission controller’s ServiceAccount token to attacker-chosen URLs, turning policy write access into cluster compromise.

What happened

Kyverno is a Kubernetes policy engine used to validate and mutate resources via admission control.

CVE-2026-41323 is a token-exfiltration chain rooted in apiCall for ClusterPolicy: Kyverno automatically attaches the admission controller’s ServiceAccount token to outgoing HTTP requests, and the policy-supplied service URL is not validated. If an attacker can author a ClusterPolicy using apiCall and point it at an attacker-controlled endpoint, the outbound request can carry the controller’s credentials.

The CVE record calls out the key escalation path: the admission controller ServiceAccount has permissions to patch webhook configurations. Once that token is stolen, the attacker can pivot into full cluster compromise. This is the same high-leverage failure mode as any “SSRF + privileged ambient credentials” bug. In Kubernetes, admission-controller credentials are usually a top-of-cluster trust boundary.

Who is impacted

Clusters running Kyverno in affected version ranges.
Environments where ClusterPolicy apiCall is used and where an attacker can obtain permissions to create or update ClusterPolicy resources.

Component	Affected (per CVE record)	Patched (per CVE description)
`kyverno`	`< 1.16.4`	`1.16.4`
`kyverno`	`>= 1.17.0-rc1, < 1.17.2-rc1`	`1.17.2-rc1`

Note: the CVE description also lists 1.18.0-rc1 as patched; validate your deployed release line against the vendor advisory referenced by the CVE.

What to do now

Follow vendor remediation guidance and apply a release that includes the fix.

"Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue."
Inventory clusters running Kyverno and flag any use of ClusterPolicy apiCall (treat it as a high-risk egress + credentials feature until you are patched).
Audit RBAC for who can create or update ClusterPolicy resources. Treat that permission as highly privileged in multi-tenant clusters.
If you suspect exposure, assume the admission controller ServiceAccount token may be compromised and rotate credentials/secrets accessible to that identity, then review for unexpected webhook configuration changes.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.