Description

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.

INFO

Published Date :

2026-04-24T03:14:27.640Z

Last Modified :

2026-04-24T03:14:27.640Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41068 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41068.

URL Resource
https://github.com/kyverno/kyverno/commit/bbf3e5c01391d612968440659028ae98e565a777 cve-icon cve-icon
https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact