Kyverno Security Advisories (Jan 27, 2026)
Nirmata OSS engineers, alongside OSS security researchers, have identified and issued fixes for one critical and one high-severity CVE that impact all versions of Kyverno.
At this time, we have no evidence of these vulnerabilities being actively exploited in the wild but request that all users upgrade their deployments.
Remediation Paths
Here are the recommended actions:
For Open Source Users: We have released patched versions for supported releases. We recommend upgrading immediately to:
https://github.com/kyverno/kyverno/releases
For Nirmata Enterprise Customers: We realize that upgrading admission controllers in critical environments requires significant testing. To support our customers based on enteroprise SLAs, Nirmata has back-ported these security patches to all Long Term Support (LTS) versions dating back to v1.12.
- Action: If you are a Nirmata customer, you do not need to perform a major version upgrade. Simply pull the latest patch for your current Long Term Support (LTS) version. Please contact your Customer Success Manager if you need assistance.
Below are details on these vulnerabilities:
Cross-Namespace Privilege Escalation
Explanation
Kyverno policies can use the apiCall feature to lookup cluster resources. Kyverno executes the API call using its own service account, and this vulnerability allows a Kyverno namespaced policy to access cluster-wide resources, and resources in other namespaces.
By default, Kyverno uses role aggregation to allow the system admin role access to manage policies. This means that a namespaced user with admin permissions within a namespace can create namespaced policies, and lookup resources in other namespaces that Kyverno has permissions to view, breaking namespace isolation.
Kyverno’s default installation does not provide permissions to access sensitive resources such as Secrets. However, it is not uncommon to allow Kyverno controller additional permissions to manage critical resources.
The fix prevents namespaced policies from access to cluster-wide resources and resources in other namespaces.
For more details refer to GitHub security advisory GHSA-8p9x-46gm-qfx2.
Mitigations
Upgrade to a Kyverno version or distribution with the code fix to prevent cluster-wide and cross namespace API access from a namespaced policy.
If you are unable to upgrade, you can disable Kyverno’s admin role aggregation to prevent namespace administrators from being able to create namespaced policies that can exploit this vulnerability.
helm upgrade kyverno kyverno/kyverno -n kyverno --create-namespace \
--set "rbac.roles.aggregate.admin=false" \
--set "rbac.roles.aggregate.view=false"Denial of Service via Context Variable Amplification
Explanation
Kyverno’s context allows execution of JMESPath expressions, including functions to generate random strings used for naming. A user with permissions to create policies can potentially fill the context causing an OOM Kill and denial of service situation for Kyverno controllers.
The fix introduces a configurable context size, 2MB by default, to prevent policies from causing a Kyverno controller crash.
For more details please refer to GitHub security advisory GHSA-r2rj-wwm5-x6mq.
Mitigations
Upgrade to a Kyverno version or distribution with the code fix to detect and prevent cluster-wide and cross namespace API access from a namespaced policy.
If you are unable to upgrade, review RBAC permissions and limit access to policy types.
Need Help Securing Older Versions?
We realize that many enterprise environments are running older stable versions (1.10, 1.12, 1.14) and cannot perform a major upgrade to v1.15+ on short notice without risking production stability.
- If you are NOT a current customer: Do not leave your cluster vulnerable because you are stuck on an older version. We have opened a priority track to assist organizations that need immediate access to back-ported patches.
- Expedited Onboarding: We are fast-tracking account setups for organizations impacted by this CVE.
How to Access: Contact us at support@nirmata.com (or use the form below) with the subject “CVE Expedited Access.” Our team will prioritize your request to get you access to the hardened LTS images immediately.
