CVE-2026-41068: Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)

April 16, 2026 (updated April 24, 2026)

CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno’s apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the configMap.namespace field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno’s privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters.

References

github.com/advisories/GHSA-cvq5-hhx3-f99p
github.com/kyverno/kyverno
github.com/kyverno/kyverno/commit/bbf3e5c01391d612968440659028ae98e565a777
github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p
nvd.nist.gov/vuln/detail/CVE-2026-41068

Code Behaviors & Features

Detect and mitigate CVE-2026-41068 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →