CVE-2026-41068
Published: 24 April 2026
Summary
CVE-2026-41068 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Kyverno Kyverno. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to validate configMap.namespace inputs and prevent cross-namespace privilege escalation via Kyverno's service account.
Requires validation of the configMap.namespace field to reject unauthorized namespaces, directly addressing the zero-validation flaw exploited for RBAC bypass.
Mandates timely installation of the Kyverno 1.17.2 patch that fixes the ConfigMap context loader vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly described as a cross-namespace privilege escalation that bypasses RBAC authorization controls, directly mapping to exploitation for privilege escalation in a Kubernetes environment.
NVD Description
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the…
more
`configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.
Deeper analysisAI
CVE-2026-41068 is a cross-namespace privilege escalation vulnerability in Kyverno, a policy engine for cloud native platform engineering teams running in Kubernetes clusters. It affects the ConfigMap context loader, where the `configMap.namespace` field accepts any namespace without validation. This issue mirrors a flaw previously patched in CVE-2026-22039 for the `apiCall` context via `URLPath` validation, but the ConfigMap loader remained unaddressed, enabling unauthorized access through Kyverno's privileged service account. The vulnerability is rated CVSS 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-863 (Incorrect Authorization).
A namespace administrator can exploit this vulnerability over the network with low privileges to read ConfigMaps from any other namespace in the cluster. By crafting a Kyverno policy that references a ConfigMap in a target namespace, the attacker leverages Kyverno's elevated service account permissions, achieving a complete RBAC bypass. This is particularly severe in multi-tenant Kubernetes environments, where it grants high confidentiality impact across scoped boundaries without requiring user interaction.
Kyverno has released an updated fix in version 1.17.2, as detailed in the GitHub security advisory GHSA-cvq5-hhx3-f99p and the patching commit bbf3e5c01391d612968440659028ae98e565a777. Security practitioners should upgrade to 1.17.2 or later and review existing policies for potential exploitation vectors in multi-tenant setups.
Details
- CWE(s)