Home / Vulnerability Intelligence / CVE-2026-40868

CVE-2026-40868 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 21, 2026

Kyverno - Authentication Bypass

Published: April 21, 2026Updated: April 21, 2026Remote Exploitable

Overview

Kyverno < 1.16.4 contains an authorization token disclosure caused by implicit injection of the serviceaccount token in apiCall servicecall helper, letting attackers receive the token via attacker-controlled endpoints, exploit requires ClusterPolicy or global context usage.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can obtain the Kyverno serviceaccount token, potentially leading to privilege escalation or unauthorized access.

Mitigation

Update to version 1.16.4 or later.

References

https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 21, 2026

🟠 CVE-2026-40868 - High (8.1) Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy d... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40868/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-40868
Severity: High
CVSS Score: 8.1
Type: broken_authentication
Status: new
EPSS: 0.0%
Social Posts: 1

CWE

CWE-922

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days