CVE-2026-22039

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-22039
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22039.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-22039
Aliases
Downstream
Related
Published
2026-01-27T16:07:19.698Z
Modified
2026-02-04T06:32:08.752277Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
Details

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved urlPath is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

Database specific 
{
    "cwe_ids": [
        "CWE-269",
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22039.json"
}
References

Affected packages

Git / github.com/kyverno/kyverno

Affected ranges

Type
GIT
Repo
https://github.com/kyverno/kyverno
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
13ba08e97c90c058184db9204754b900aeaf084e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.15.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/kyverno/kyverno
Events
Introduced
18f9549cb2af30ec0537cd97f3200228d9f42d4b
Fixed
188151e6b60b192aabcbc24943c3159e5cfab5da
Database specific 
{
    "versions": [
        {
            "introduced": "1.16.0"
        },
        {
            "fixed": "1.16.3"
        }
    ]
}

Affected versions

1.*
1.3.0-rc10
1.6-dev
1.7-dev
1.8-dev
1.9-dev
helm-chart-v2.*
helm-chart-v2.0.3
helm-chart-v2.0.3-rc1
helm-chart-v2.0.3-rc2
helm-chart-v2.1.0
helm-chart-v2.1.3
kyverno-chart-3.*
kyverno-chart-3.5.0
kyverno-chart-3.5.0-rc.1
kyverno-chart-3.5.0-rc.2
kyverno-chart-3.5.0-rc.3
kyverno-chart-3.5.0-rc.4
kyverno-chart-3.5.1
kyverno-chart-3.5.1-rc.1
kyverno-chart-3.5.1-rc.2
kyverno-chart-3.5.1-rc.3
kyverno-chart-3.5.2
kyverno-chart-3.5.2-rc.1
kyverno-chart-3.5.3-rc.1
kyverno-chart-3.6.0
kyverno-chart-3.6.1
kyverno-chart-3.6.1-rc.1
kyverno-chart-3.6.1-rc.2
kyverno-chart-3.6.2
kyverno-chart-3.6.2-rc.1
kyverno-chart-3.6.3-rc.1
kyverno-policies-chart-3.*
kyverno-policies-chart-3.5.0
kyverno-policies-chart-3.5.0-rc.1
kyverno-policies-chart-3.5.0-rc.2
kyverno-policies-chart-3.5.0-rc.3
kyverno-policies-chart-3.5.0-rc.4
kyverno-policies-chart-3.5.1
kyverno-policies-chart-3.5.1-rc.1
kyverno-policies-chart-3.5.1-rc.2
kyverno-policies-chart-3.5.1-rc.3
kyverno-policies-chart-3.5.2
kyverno-policies-chart-3.5.2-rc.1
kyverno-policies-chart-3.5.3-rc.1
kyverno-policies-chart-3.6.0
kyverno-policies-chart-3.6.1
kyverno-policies-chart-3.6.1-rc.1
kyverno-policies-chart-3.6.1-rc.2
kyverno-policies-chart-3.6.2
kyverno-policies-chart-3.6.2-rc.1
kyverno-policies-chart-3.6.3-rc.1
Other
test-dev
v0.*
v0.1.0
v0.10.0
v0.11.0
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.7.0
v0.7.1
v0.8.0
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.0.0-rc1
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.2
v1.1.3
v1.1.3-rc1
v1.1.4
v1.1.4-rc1
v1.1.5
v1.1.6
v1.1.6-rc1
v1.1.6-rc2
v1.1.6-rc3
v1.1.6-rc4
v1.1.6-rc5
v1.1.7
v1.1.7-rc1
v1.1.7-rc2
v1.1.7-rc3
v1.1.7-rc4
v1.1.8
v1.1.9
v1.15.0
v1.15.0-rc.1
v1.15.0-rc.2
v1.15.0-rc.3
v1.15.0-rc.4
v1.15.1
v1.15.1-rc.1
v1.15.1-rc.2
v1.15.1-rc.3
v1.15.2
v1.15.2-rc.1
v1.15.3-rc.1
v1.16.0
v1.16.1
v1.16.1-rc.1
v1.16.1-rc.2
v1.16.2
v1.16.2-rc.1
v1.16.3-rc.1
v1.2.0
v1.2.1
v1.3.0
v1.3.0-rc1
v1.3.0-rc10
v1.3.0-rc11
v1.3.0-rc12
v1.3.0-rc2
v1.3.0-rc3
v1.3.0-rc4
v1.3.0-rc5
v1.3.0-rc6
v1.3.0-rc7
v1.3.0-rc8
v1.3.0-rc9
v1.3.1
v1.3.2
v1.3.2-rc1
v1.3.2-rc2
v1.3.2-rc3
v1.3.3
v1.3.4
v1.3.4-rc1
v1.3.5
v1.3.5-rc1
v1.3.5-rc2
v1.3.5-rc3
v1.3.5-rc4
v1.3.5-rc5
v1.3.6
v1.3.6-rc1
v1.3.6-rc2
v1.3.6-rc3
v1.3.6-rc4
v1.3.6-rc5
v1.4.0
v1.4.0-rc1
v1.4.0-rc2
v1.4.0-rc3
v1.4.0-rc4
v1.4.1
v1.4.2
v1.4.2-rc1
v1.4.2-rc2
v1.4.2-rc3
v1.4.2-rc4
v1.4.3
v1.4.3-rc1
v1.4.3-rc2
v1.5.0-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22039.json"