{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40868", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.718Z", "datePublished": "2026-04-21T18:22:01.502Z", "dateUpdated": "2026-04-21T18:22:01.502Z"}, "containers": {"cna": {"title": "kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token", "problemTypes": [{"descriptions": [{"cweId": "CWE-922", "lang": "en", "description": "CWE-922: Insecure Storage of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp"}], "affected": [{"vendor": "kyverno", "product": "kyverno", "versions": [{"version": "< 1.16.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T18:22:01.502Z"}, "descriptions": [{"lang": "en", "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno\u2019s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy). Namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage. This vulnerability is fixed in 1.16.4."}], "source": {"advisory": "GHSA-q93q-v844-jrqp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno\u2019s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy). Namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage. This vulnerability is fixed in 1.16.4."}], "id": "CVE-2026-40868", "lastModified": "2026-04-21T19:16:18.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T19:16:18.420", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-922"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.16.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "kyverno", "source": "cna", "vendor": "kyverno"}, "product": "kyverno", "vendor": "kyverno"}], "analysis": {"en": {"generated_at": "2026-04-22T05:34:25.589828+00:00", "value": {"mitigation_remediation": ["Upgrade to Kyverno\u202f1.16.4 or later, which removes the implicit bearer token injection. ", "Restrict the creation of ClusterPolicy objects to trusted administrators and enforce policy reviews to ensure only trusted endpoints are used. ", "Apply network controls that limit the Kyverno controller\u2019s outbound traffic to internal services only, preventing accidental exposure of the service account token to external hosts."], "summary": {"action": "Immediate Patch", "impact": "Token Leakage"}, "threat_synthesis": {"affected_systems": "The defect resides in the community edition of Kyverno, the policy engine for Kubernetes. Versions before 1.16.4 are affected. The flaw only impacts policies of type ClusterPolicy or global\u2011context, as namespaced policies are blocked by an internal URL gate.", "description_and_impact": "Kyverno\u2019s apiCall servicecall helper automatically adds an Authorization: Bearer header when a policy omits an explicit header, using the Kyverno controller\u2019s service account token. Because the endpoint URL is supplied by policy, an attacker who can create a ClusterPolicy that points to a malicious endpoint can cause Kyverno to send its privileged token over the network. This leads to uncontrolled token disclosure, allowing the attacker to impersonate Kyverno and potentially gain full cluster access. The vulnerability is a token\u2011to\u2011service leakage (CWE\u2011922).", "risk_and_exploitability": "The CVSS score of 8.1 signals high severity. No EPSS data is available and the vulnerability is not listed in CISA KEV. Exploitation requires the ability to create or modify a ClusterPolicy, a privilege usually restricted to cluster administrators. Attacks would involve crafting a malicious servicecall policy that directs Kyverno to an attacker\u2011controlled endpoint, causing the service account token to be sent outbound. The risk is significant for environments with loose RBAC or poor network segmentation."}}}}, "created": "2026-04-22T03:30:06.543018+00:00", "updated": "2026-04-22T05:45:09.821550+00:00", "vendors": ["kyverno", "kyverno$PRODUCT$kyverno"]}