Confused-Deputy

vulnerabilities 2026-04-17
Kyverno apiCall Service Helper Leaks ServiceAccount Token to Attacker-Controlled Endpoints (CVE-2026-40868)
A high-severity flaw in Kyverno's apiCall servicecall helper implicitly attaches the controller's ServiceAccount bearer token to policy-controlled outbound URLs, letting any ClusterPolicy author exfiltrate the token and impersonate the Kyverno controller.
kubernetes kyverno policy-engine confused-deputy token-leak cve-2026-40868

Kyverno apiCall Service Helper Leaks ServiceAccount Token to Attacker-Controlled Endpoints (CVE-2026-40868)