GHSA-8wfp-579w-6r25: Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak)

April 16, 2026

Kyverno’s apiCall service mode automatically attaches the admission controller’s ServiceAccount (SA) token to outbound HTTP requests. This results in unintended credential exposure when requests are sent to external or attacker-controlled endpoints.

The behavior is insecure-by-default and not documented, enabling token exfiltration without requiring policy authors to explicitly opt in.

References

github.com/advisories/GHSA-8wfp-579w-6r25
github.com/kyverno/kyverno/security/advisories/GHSA-8wfp-579w-6r25

Code Behaviors & Features

Detect and mitigate GHSA-8wfp-579w-6r25 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →