## Kyverno Security Flaw CVE-2026-33810: Certificate Validation Bypass for Wildcard DNS SANs
A critical vulnerability in Kyverno's certificate validation logic could allow attackers to bypass DNS name constraints, undermining the security of trusted certificate chains. The flaw, designated CVE-2026-33810, resides in how the software handles excluded DNS constraints when verifying certificates. Specifically, the constraints fail to apply correctly to wildcard DNS Subject Alternative Names (SANs) that use a different letter case than the constraint. This creates a potential pathway for a malicious certificate to be incorrectly validated as trusted, even when it should be explicitly blocked.

The vulnerability is isolated to the validation of certificate chains that are otherwise considered trusted—meaning they are issued by a root Certificate Authority present in either the `VerifyOptions.Roots CertPool` or the system's own certificate pool. The issue is currently tracked in the Kyverno GitHub repository under security advisory code-scanning/2341 (codeql-id-2341) and is confirmed to affect the project's main development branch. This narrows the exposure but highlights a significant logic error in a core security function.

The discovery places immediate scrutiny on deployments using Kyverno for policy enforcement where certificate validation is a security boundary. While the impact is contingent on an attacker obtaining a specially crafted certificate, the flaw fundamentally weakens the assurance provided by DNS constraints. This raises the risk for environments relying on Kyverno to govern and secure access based on certificate identities, prompting urgent review and patching of the main branch to close this validation gap.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-33810, Security Vulnerability, Certificate Validation, DNS Constraints, GitHub Advisory
- **Credibility**: unverified
- **Published**: 2026-04-11 19:22:34
- **ID**: 60219
- **URL**: https://whisperx.ai/en/intel/60219