Go modules package

github.com/kyverno/kyverno

pkg:golang/github.com/kyverno/kyverno

Vulnerabilities (15)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-41485	Hig	7.7	>= 1.13.0, < 1.16.4	1.16.4	Apr 24, 2026	Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide ba
CVE-2026-41323	Hig	8.1	< 1.17.0	1.17.0	Apr 24, 2026	Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The
CVE-2026-41068	Hig	7.7	<= 1.17.1	—	Apr 24, 2026	Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulne
CVE-2026-40868	Hig	8.1	< 1.17.0	1.17.0	Apr 21, 2026	Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authoriza
CVE-2026-4789	Cri	9.8	>= 1.16.0, < 1.17.0	1.17.0	Mar 30, 2026	Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
CVE-2026-23881		—	< 1.15.3	1.15.3	Jan 27, 2026	Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that
CVE-2026-22039		—	< 1.15.3	1.15.3	Jan 27, 2026	Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller Servi
CVE-2025-47281		—	< 1.14.2	1.14.2	Jul 23, 2025	Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno polici
CVE-2025-46342		—	< 1.13.5	1.13.5	Apr 30, 2025	Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to
CVE-2025-29778		—	>= 1.13.0, < 1.14.0-alpha.1	1.14.0-alpha.1	Mar 24, 2025	Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artif
CVE-2024-48921		—	< 1.13.0	1.13.0	Oct 29, 2024	Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not rec
CVE-2023-47630		—	< 1.10.5	1.10.5	Nov 14, 2023	Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The at
CVE-2023-34091		—	< 1.10.0	1.10.0	Jun 1, 2023	Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `En
CVE-2023-33191		—	>= 1.9.2, < 1.9.4	1.9.4	May 30, 2023	Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.
CVE-2022-47633		—	>= 1.8.3, < 1.8.5	1.8.5	Dec 23, 2022	An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.

CVE-2026-41485HigApr 24, 2026
affected >= 1.13.0, < 1.16.4fixed 1.16.4
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide ba
CVE-2026-41323HigApr 24, 2026
affected < 1.17.0fixed 1.17.0
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The
CVE-2026-41068HigApr 24, 2026
affected <= 1.17.1
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulne
CVE-2026-40868HigApr 21, 2026
affected < 1.17.0fixed 1.17.0
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authoriza
CVE-2026-4789CriMar 30, 2026
affected >= 1.16.0, < 1.17.0fixed 1.17.0
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
CVE-2026-23881Jan 27, 2026
affected < 1.15.3fixed 1.15.3
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that
CVE-2026-22039Jan 27, 2026
affected < 1.15.3fixed 1.15.3
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller Servi
CVE-2025-47281Jul 23, 2025
affected < 1.14.2fixed 1.14.2
Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno polici
CVE-2025-46342Apr 30, 2025
affected < 1.13.5fixed 1.13.5
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to
CVE-2025-29778Mar 24, 2025
affected >= 1.13.0, < 1.14.0-alpha.1fixed 1.14.0-alpha.1
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artif
CVE-2024-48921Oct 29, 2024
affected < 1.13.0fixed 1.13.0
Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not rec
CVE-2023-47630Nov 14, 2023
affected < 1.10.5fixed 1.10.5
Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The at
CVE-2023-34091Jun 1, 2023
affected < 1.10.0fixed 1.10.0
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `En
CVE-2023-33191May 30, 2023
affected >= 1.9.2, < 1.9.4fixed 1.9.4
Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.
CVE-2022-47633Dec 23, 2022
affected >= 1.8.3, < 1.8.5fixed 1.8.5
An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.