Cyber Posture

CVE-2026-4789

Critical

Published: 30 March 2026

Published
30 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4789 is a critical-severity SSRF (CWE-918) vulnerability in Kyverno Kyverno. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates inputs to Kyverno's CEL HTTP functions to prevent SSRF by blocking malicious URLs or request parameters.

AC-4 Information Flow Enforcement good match
prevent

Enforces information flow policies that restrict Kyverno's outbound HTTP requests to only authorized internal and external destinations.

SC-7 Boundary Protection partial match
preventdetect

Monitors and controls Kyverno's network communications at boundaries to block or detect SSRF-induced requests to internal resources.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1090.001 Internal Proxy Command And Control
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.
attack.mitre.org →
Why these techniques?

SSRF in network-accessible app directly enables T1190 exploitation; facilitates internal proxy for bypassing restrictions and accessing internal resources via T1090.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

Deeper analysisAI

CVE-2026-4789 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Kyverno versions 1.16.0 and later due to unrestricted CEL HTTP functions. Published on 2026-03-30, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network. By leveraging the unrestricted CEL HTTP functions, they can induce Kyverno to make unintended requests, potentially accessing internal resources, bypassing network restrictions, or interacting with external services in ways that lead to significant compromise.

Advisories and further details are available in referenced sources, including the Kyverno GitHub repository at https://github.com/kyverno/kyverno, CERT KB entry at https://kb.cert.org/vuls/id/655822, and general SSRF guidance at https://portswigger.net/web-security/ssrf.

Details

CWE(s)
CWE-918

Affected Products

kyverno
kyverno
1.16.0 — 1.17.1

CVEs Like This One

CVE-2026-41323Same product: Kyverno Kyverno
CVE-2026-22039Same product: Kyverno Kyverno
CVE-2026-41485Same product: Kyverno Kyverno
CVE-2026-41068Same product: Kyverno Kyverno
CVE-2026-23881Same product: Kyverno Kyverno
CVE-2025-29778Same product: Kyverno Kyverno
CVE-2026-40868Same product: Kyverno Kyverno
CVE-2026-7025Shared CWE-918
CVE-2025-21385Shared CWE-918
CVE-2025-52362Shared CWE-918

References