Nixpkgs security tracker
NIXPKGS-2026-1277
GitHub issue
published 1 month, 4 weeks ago
Permalink
CVE-2026-41323
8.1 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored package kyverno-chainsaw
- @LeSuisse accepted
- @LeSuisse published on GitHub
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue.
References
-
https://github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4 x_refsource_CONFIRMexploit
Ignored references (2)
Affected products
kyverno
- ==< 1.16.4
- ==>= 1.17.0-rc1, < 1.17.2-rc1
Matching in nixpkgs
Ignored packages (1)
pkgs.kyverno-chainsaw
Declarative approach to test Kubernetes operators and controllers
Package maintainers
-
@LorenzBischof Lorenz Bischof <nix@lorenzbischof.ch>
-
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>