Kyverno Vulnerability CVE-2026-40868 Enables Confused Deputy Attack via Forced Token Leak

Kyverno, a policy engine widely deployed in cloud native environments, contains a high-severity vulnerability (CVE-2026-40868) that allows an attacker to redirect the Kyverno controller's service account token to an attacker-controlled endpoint. The flaw stems from the apiCall servicecall helper, which implicitly injects an Authorization: Bearer token when a policy does not explicitly define an Authorization header. Because the context.apiCall.service.url parameter is policy-controlled, a malicious or compromised ClusterPolicy could trigger the Kyverno controller to transmit its service account credentials to an external server under attacker control.

The vulnerability affects all Kyverno releases prior to 1.16.4. Technical analysis in the project's security advisory indicates that the token injection occurs automatically, exploiting the trusted relationship between the policy engine and its own service account. This creates a confused deputy scenario where the Kyverno controller unknowingly acts as an intermediary, delivering sensitive credentials to a third party. Namespaced policies are protected by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, which blocks servicecall usage in those contexts, but ClusterPolicy and global context configurations remain exposed.

Organizations running Kyverno in production should immediately assess whether untrusted ClusterPolicies are in use and verify that policies accessing external services are sourced from trusted parties. The vulnerability has been patched in version 1.16.4, and organizations on release-1.16, release-1.17, or main branches should update without delay. Security teams should audit existing ClusterPolicies for any apiCall references pointing to external endpoints, particularly those without explicit Authorization headers. The underlying code scanning record is available at the project's security advisories page for further technical reference.