GHSA-gg4x-fgg2-h9w9: Bypassing Kyverno Policies via Double Policy Exceptions

January 6, 2026

If a cluster has a Kyverno policy in enforce mode and there are two exceptions, this allows the policy to be bypassed, even if the first exception is more restrictive than the second.

References

github.com/advisories/GHSA-gg4x-fgg2-h9w9
github.com/kyverno/kyverno
github.com/kyverno/kyverno/security/advisories/GHSA-gg4x-fgg2-h9w9

Code Behaviors & Features

Detect and mitigate GHSA-gg4x-fgg2-h9w9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →