Kyverno CEL HTTP SSRF Vulnerability (CVE-2026-4789) Analysis and Mitigation

Kyverno SSRF Vulnerability (VU#655822) Vulnerability Overview Kyverno versions 1.16.0 and later contain a Server-Side Request Forgery (SSRF) vulnerability in their CEL expression HTTP functions (Get and Post). This vulnerability exists in the HTTP functions used by namespace-scoped policy types in the API group. Root Cause: While Kyverno's resource repository enforces namespace boundaries, the CEL HTTP library ( ) performs no URL validation or scoping restrictions—no blacklists, namespace constraints, or destination checks. Impact Scope Attack Vector: An authenticated attacker with namespace-level permissions can create malicious namespace policies Attack Method: Send internal requests, capture responses into CEL variables, and exfiltrate them via the policy's field in admission denial responses Impact: Since requests originate from the Kyverno admission controller Pod with privileged network reachability, attackers can: - Access data across namespaces - Access internal cluster services - Access cloud metadata APIs - Exfiltrate sensitive metadata or service responses Remediation Status: Vendor could not be reached to coordinate a fix; no patch available, only mitigation measures provided Mitigation Recommendations: 1. Implement strict URL validation and destination controls in Kyverno's CEL HTTP library 2. Block access to link-local and cloud metadata address ranges 3. Restrict outbound requests to approved intra-cluster services 4. Provide administrators with configurable allowlists 5. Apply default-deny network policies to Kyverno admission controller Pods to prevent unauthorized outbound traffic --- CVE ID: CVE-2026-4789 Disclosure Date: 2026-03-30 Discoverer: Igor Stepanasky (Orca Security Research Pod)

Goal Reached Thanks to every supporter — we hit 100%!

Kyverno CEL HTTP SSRF Vulnerability (CVE-2026-4789) Analysis and Mitigation