Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy). Namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage. This vulnerability is fixed in 1.16.4.

INFO

Published Date :

2026-04-21T18:22:01.502Z

Last Modified :

2026-04-22T13:35:50.296Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40868 vulnerability.

Vendors Products
Kyverno
  • Kyverno
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40868.

URL Resource
https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact