## Kyverno Kubernetes Policy Engine Exposes High-Risk SSRF Vulnerability (GHSA-fmqp-4wfc-w3v7) A critical Server-Side Request Forgery (SSRF) vulnerability in Kyverno's APICall feature allows attackers with basic policy creation permissions to bypass tenant isolation and access sensitive internal resources. The flaw, tracked as GHSA-fmqp-4wfc-w3v7, exploits Kyverno's high-privilege ServiceAccount, enabling low-privilege tenants in multi-tenant Kubernetes clusters to steal database passwords, API keys, and cloud platform IAM credentials from other tenants. This constitutes a classic Confused Deputy attack, where a trusted component is tricked into performing unauthorized actions, completely breaking the security boundary between tenants. The vulnerability stems from Kyverno's APICall feature, which allows policies to fetch external data via HTTP requests. The core failure is a lack of URL validation when these requests are executed. An attacker with namespace-level permissions to create a Kyverno Policy can craft a malicious policy that directs the APICall to internal endpoints, such as the Kubernetes API server or cloud metadata services. Kyverno's engine, operating with elevated cluster-wide privileges, then makes the request, returning sensitive data to the attacker. Crucially, this exploit does not require cluster-admin rights, significantly lowering the barrier to a major breach. This flaw poses a severe threat to any organization using Kyverno for policy enforcement in shared Kubernetes environments, particularly managed services and internal platforms. It undermines the fundamental security promise of namespace isolation. The vulnerability allows for lateral movement and credential theft within a cluster, which could lead to full cluster compromise or unauthorized access to adjacent cloud resources. All users are urged to apply the available patches immediately to mitigate this high-severity risk. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: Kubernetes, SSRF, Cloud Security, Vulnerability, CVE - **Credibility**: unverified - **Published**: 2026-04-16 22:22:52 - **ID**: 68230 - **URL**: https://whisperx.ai/en/intel/68230