High severity7.7NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026
CVE-2026-41068
CVE-2026-41068
Description
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the configMap.namespace field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kyverno/kyvernoGo | <= 1.17.1 | — |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/kyverno-1.17pkg:apk/chainguard/kyverno-notation-awspkg:apk/chainguard/kyverno-notation-aws-fipspkg:apk/wolfi/kyverno-1.17pkg:apk/wolfi/kyverno-notation-awspkg:bitnami/kyvernopkg:golang/github.com/kyverno/kyverno
< 1.17.2-r1+ 6 more
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.1-r52
- (no CPE)range: < 1.1-r46
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.1-r52
- (no CPE)range: < 1.17.2
- (no CPE)range: <= 1.17.1
Patches
Vulnerability mechanics
References
4- github.com/kyverno/kyverno/commit/bbf3e5c01391d612968440659028ae98e565a777nvdPatchWEB
- github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99pnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-cvq5-hhx3-f99pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41068ghsaADVISORY
News mentions
0No linked articles in our index yet.