Kyverno SSRF Flaw Exposes Multi-Tenant Kubernetes Environments to Cross-Tenant Credential Theft
A critical Server-Side Request Forgery (SSRF) vulnerability in Kyverno's APICall feature allows users with Policy creation permissions to pivot from low-privilege namespace access into high-value internal targets, effectively dismantling tenant isolation in shared Kubernetes clusters. Tracked as GHSA-fmqp-4wfc-w3v7 and classified as high severity, the flaw exploits Kyverno's use of a high-privilege ServiceAccount to execute outbound HTTP requests on behalf of Policies—without validating whether the requested URLs fall within intended boundaries.
The vulnerability resides in Kyverno's APICall mechanism, which permits Policies to fetch external data via HTTP. The code path in `api/kyverno/v1/common_types.go` (lines 247-250) fails to enforce URL allowlisting or destination constraints when initiating requests. This means any user granted Policy creation rights—whether at namespace or cluster scope—can direct Kyverno's privileged ServiceAccount toward internal services, metadata endpoints, or credential stores. Attackers can harvest database passwords, API keys, and cloud platform IAM tokens that would otherwise be inaccessible from their assigned tenant context. Unlike exploits requiring cluster-admin access, this attack surface exists with far more widely distributed permissions.
The flaw presents acute risk in managed Kubernetes offerings, shared development clusters, and any environment where tenants coexist on the same control plane. Organizations relying on Kyverno for policy enforcement should treat this as a complete bypass of the trust model underpinning multi-tenancy. Until patches are available and applied, the practical mitigation involves severely restricting Policy creation permissions, auditing existing Policies for APICall usage, and monitoring for anomalous outbound traffic patterns originating from Kyverno's service account. The Confused Deputy dynamic at play means the platform itself becomes the unwitting agent of data exfiltration.