Kyverno Security Flaw: CVE-2026-40868 Allows Attacker to Steal Controller Token via API Call

A critical vulnerability in Kyverno's policy engine can leak the powerful controller service account token to an attacker-controlled server. The flaw, designated CVE-2026-40868, resides in the `apiCall` servicecall helper, which automatically injects an `Authorization: Bearer` header using the Kyverno controller's token if a policy does not explicitly set one. Because the target URL (`context.apiCall.service.url`) is defined within the policy itself, an attacker who can create or modify a ClusterPolicy can direct this authenticated call to their own endpoint, capturing the token in what's known as a confused deputy attack.

This exposure is specifically limited to ClusterPolicy resources and GlobalContextEntry usage, as namespaced policies are blocked from making external service calls by an existing gate. The primary attack vector involves an attacker with permissions to create or update a ClusterPolicy—a realistic scenario in compromised GitOps workflows where the policy repository or controller is no longer trusted. By crafting a malicious policy, they can exfiltrate the service account token, which typically holds broad permissions within the Kubernetes cluster.

The discovery places immediate pressure on security teams using Kyverno for cluster governance. While namespaced policies are shielded, the risk to cluster-wide security posture is significant, as the stolen token could be used to escalate privileges, deploy malicious workloads, or exfiltrate sensitive data. This vulnerability underscores the inherent risks in policy-as-code systems where the policy definition itself becomes a potential attack surface, requiring stringent access controls and continuous scrutiny of policy sources.