Kyverno Security Flaw: ClusterPolicy API Call Can Leak Controller Service Account Token to Attacker-Controlled Endpoints

A critical vulnerability in Kyverno's policy engine allows an attacker to potentially exfiltrate the powerful controller service account token to any external endpoint they control. The flaw, designated GHSA-q93q-v844-jrqp, resides in the `apiCall` servicecall helper, which automatically injects an `Authorization: Bearer` header using the Kyverno controller's service account token whenever a policy does not explicitly set one. Crucially, the target URL for this call is defined by the policy-controlled `context.apiCall.service.url` field, creating a classic confused deputy scenario where a malicious policy can direct the token to an attacker's server.

This vulnerability is exploitable by any actor with permissions to create or update a ClusterPolicy or a GlobalContextEntry. The attacker can specify the request URL and headers, effectively using Kyverno's own authority to send its privileged token to an external endpoint. A realistic attack vector is through a compromised GitOps pipeline; if the policy repository or controller is breached, the ClusterPolicy or global context entry becomes untrusted input, turning a core automation feature into a credential theft mechanism. Notably, namespaced policies are protected by a `urlPath` gate, limiting the immediate risk to cluster-scoped and global resources.

The exposure of the Kyverno controller's service account token represents a severe escalation risk, as this token typically possesses broad permissions within the Kubernetes cluster. Successful exploitation could grant an attacker the same level of access as the Kyverno controller itself, potentially leading to full cluster compromise. This flaw underscores the inherent danger in automatically injecting high-privilege credentials into user-controlled network calls, a pattern that demands rigorous security boundaries even in trusted automation frameworks.