Nixpkgs security tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: kyverno

Found 5 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-44245
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 hours ago by @LeSuisse Activity log
  • Created suggestion 12 hours ago
  • @LeSuisse ignored package kyverno-chainsaw 6 hours ago
  • @LeSuisse accepted 6 hours ago
  • @LeSuisse published on GitHub 6 hours ago
Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows directly into the DOM as HTML. The isURL() guard only filters values that parse as http: or https: URLs, so any HTML payload not starting with those schemes bypasses it entirely. The data originates from Kubernetes PolicyReport .results[].properties fields, which are arbitrary string maps populated by policy engines and potentially by any principal with write access to PolicyReport objects in the cluster. This vulnerability is fixed in 2.5.2.

Affected products

kyverno
  • ==< 2.5.2

Matching in nixpkgs

Ignored packages (1)

Package maintainers

Permalink CVE-2026-41323
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 4 days ago
  • @LeSuisse ignored package kyverno-chainsaw 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue.

Affected products

kyverno
  • ==>= 1.17.0-rc1, < 1.17.2-rc1
  • ==< 1.16.4

Matching in nixpkgs

Ignored packages (1)

Package maintainers

Permalink CVE-2026-41068
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 4 days ago
  • @LeSuisse ignored package kyverno-chainsaw 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.

Affected products

kyverno
  • ==< 1.17.2

Matching in nixpkgs

Ignored packages (1)

Package maintainers

Permalink CVE-2026-41485
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 4 days ago
  • @LeSuisse ignored package kyverno-chainsaw 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Kyverno Controller Denial of Service via forEach Mutation Panic

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.

Affected products

kyverno
  • ==>= 1.17.0-rc1, < 1.17.2
  • ==< 1.16.4

Matching in nixpkgs

Ignored packages (1)

Package maintainers

Permalink CVE-2026-4789
updated 1 month, 1 week ago by @mweinelt Activity log
  • Created suggestion 1 month, 1 week ago
  • @mweinelt ignored package kyverno-chainsaw 1 month, 1 week ago
  • @mweinelt accepted 1 month, 1 week ago
  • @mweinelt published on GitHub 1 month, 1 week ago
CVE-2026-4789

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

Affected products

Kyverno
  • ==1.16.0

Matching in nixpkgs

Ignored packages (1)

Package maintainers

https://github.com/kyverno/kyverno/pull/15729