_explained / kyverno-rbac-bypass-kubernetes-multitenancy-flaw
HIGH PLAIN ENGLISH 5 min read

A Security Guard That Opens Every Door: The Kubernetes Flaw Letting Tenants Raid Each Other's Secrets

A patch meant to fix a privilege escalation bug in Kyverno left an identical hole wide open. In multi-tenant Kubernetes clusters, that means anyone's secrets could be anyone else's.

2026-04-24 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

Kyverno RBAC Bypass — CVE-2026-41068

Imagine hiring a security firm to lock every office in your building — only to discover they forgot to lock the filing cabinets, and every employee in the building has a master key to all of them.

Who Is at Risk — and Why It Matters Beyond the Server Room

Kubernetes is the invisible engine running a staggering share of the modern internet. Banks process transactions on it. Healthcare platforms store patient records through it. SaaS companies run dozens of separate customers — each believing their data is walled off from the others — inside the same Kubernetes cluster. That isolation is the promise. CVE-2026-41068 breaks it.

The vulnerability lives in Kyverno, a widely adopted open-source policy engine used by platform engineering teams at companies ranging from startups to Fortune 500s. Kyverno is trusted to enforce rules across Kubernetes environments — think of it as the compliance officer of your cloud infrastructure. It has elevated, privileged access to nearly everything in a cluster by design. That privilege is now the problem. Any tenant who has been granted control of their own slice of a shared cluster can exploit this flaw to read configuration data — potentially including credentials, API keys, and internal service addresses — belonging to any other tenant on the same system.

The real-world count of affected deployments is substantial. Kyverno has been downloaded tens of millions of times and is a graduated project under the Cloud Native Computing Foundation (CNCF), meaning it carries an institutional stamp of approval that has accelerated its adoption across enterprise environments. If your company runs workloads in a managed Kubernetes service — Amazon EKS, Google GKE, Azure AKS — and uses Kyverno for policy enforcement, your cluster's internal trust boundaries may be compromised right now.

How a Locked Door Leads to an Open Vault

To understand this flaw, picture a large co-working building. Each company rents a floor — their own "namespace" — and is told their files are private. The building manager (Kyverno, in our story) has a master key to every floor because it needs to inspect everyone's workspaces to make sure building rules are followed. Now imagine a tenant on Floor 3 can hand the building manager a forged work order that says "please fetch the files from Floor 7's filing cabinet" — and the building manager, trusting the work order without reading it carefully, complies and brings the files right back.

That is essentially what this vulnerability enables. Kyverno policies can pull in external data — from configuration files stored throughout the cluster — to inform their decisions. One way to do this is through something called a ConfigMap context, where you tell Kyverno: "go read this specific configuration file from this specific location." The location has two parts: the name of the file, and the namespace (floor) it lives in. Kyverno's powerful service account goes and fetches it. The flaw? Kyverno never checks whether the person writing the policy is actually allowed to access that other namespace. A rogue tenant simply writes a policy that points to someone else's namespace, and Kyverno — helpful, privileged, unsuspecting — retrieves the data and hands it over.

What makes this especially damaging is the type of data typically stored in Kubernetes ConfigMaps. While they are not designed for high-secrecy storage, in practice they routinely contain database connection strings, internal API endpoints, feature flag configurations, and service credentials that were never meant to leave their namespace. In a multi-tenant SaaS environment, reading a competitor's ConfigMaps could expose the internal architecture of their application, their integration credentials, or their infrastructure topology — a meaningful head start for any follow-on attack.

The Technical Hook: An Incomplete Patch and a Missed Attack Surface

Security researchers will recognize this immediately as a patch bypass via equivalent attack surface — one of the most frustrating vulnerability classes in software security, because it signals that the original fix was applied narrowly rather than architecturally.

The predecessor vulnerability, CVE-2026-22039, was patched by adding namespace validation to Kyverno's apiCall context loader — the mechanism that lets policies make outbound HTTP-style calls to the Kubernetes API. That fix was correct and necessary. But Kyverno has a second, parallel mechanism for loading external data: the ConfigMap context loader. Its configMap.namespace field — which specifies which namespace to pull a ConfigMap from — received no equivalent validation. The two code paths share the same privilege (Kyverno's cluster-scoped service account) and the same trust problem (unvalidated user input determines the target namespace), but only one was remediated. The result is a complete RBAC bypass in multi-tenant deployments, scored at CVSS 7.7 (HIGH).

For Kubernetes security researchers: the vulnerability class is cross-namespace privilege escalation through a trusted intermediary's service account, enabled by missing input validation on a namespace selector field. This is a textbook case of why security reviews must audit all equivalent code paths when patching a vulnerability class — not just the specific instance that was reported.

What We Know About Exploitation

As of publication, there are no confirmed cases of active exploitation in the wild. The vulnerability was discovered during a follow-up security audit — almost certainly a review of the original CVE-2026-22039 patch and its surrounding code. This is good news, but it comes with an asterisk: the attack requires no special tooling, leaves limited forensic traces (Kyverno's normal operations generate significant API traffic, making a malicious ConfigMap read difficult to distinguish from legitimate activity), and is accessible to any namespace-level administrator. The barrier to exploitation is low once the technique is known.

No specific threat actor or campaign has been attributed to this vulnerability. However, cloud-native supply chain attacks and Kubernetes privilege escalation have been active areas of exploitation for financially motivated actors and nation-state groups alike over the past two years. The window between public disclosure and active exploitation for high-profile Kubernetes vulnerabilities has historically been measured in days to weeks, not months.

What To Do Right Now

Security teams should treat this as an urgent but not immediately catastrophic situation — critical enough to prioritize above routine patch cycles, but not a drop-everything emergency if compensating controls are in place. Here is your action list:

  1. Upgrade Kyverno to version 1.17.2 immediately. This is the official patched release. If you are running any version prior to 1.17.2, you are vulnerable. Check your installed version with kubectl get deployment kyverno -n kyverno -o jsonpath='{.spec.template.spec.containers[0].image}' and prioritize upgrade scheduling for today, not end of sprint.
  2. Audit existing Kyverno policies for suspicious cross-namespace ConfigMap references. Search your policy definitions for configMap.namespace fields that reference namespaces other than the policy's own. Run: kubectl get clusterpolicies,policies -A -o yaml | grep -A2 'configMap:' and flag any entry where the namespace value does not match the policy's owning namespace. These are candidates for abuse — either by a current attacker or as a configuration error worth resolving regardless.
  3. Review Kyverno's service account audit logs for anomalous ConfigMap reads. Use your cloud provider's audit logging (CloudTrail on AWS, Cloud Audit Logs on GCP, Monitor Diagnostic Logs on Azure) or your Kubernetes API server audit log to filter for get and list operations on ConfigMap resources attributed to the Kyverno service account. Cross-reference the namespace field in those log entries — any read from a namespace that Kyverno has no policy legitimately governing is a red flag worth investigating.

CVE: CVE-2026-41068 | CVSS: 7.7 HIGH | Fixed in: Kyverno 1.17.2 | Category: Privilege Escalation / RBAC Bypass | Platform: Cloud / Kubernetes

// TOPICS
#privilege-escalation#rbac-bypass#cross-namespace-access#kyverno-policy-engine#configmap-disclosure
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.