A critical vulnerability in Kyverno, identified as CVE-2026-54523 with a CVSS score of 9.6, has been disclosed, allowing namespace tenants to escalate privileges to admin across any namespace in Kubernetes clusters. This flaw affects versions 1.18.1 and earlier. The exploitation occurs through the NamespacedGeneratingPolicy feature, lacking verification of the target namespace, potentially leading to unauthorized access. The issue has been patched in version 1.18.2, and administrators are urged to upgrade to mitigate the risk.
CVE-2026-54523 (CVSS 9.6): Public PoC Exploit Enables Kyverno Privilege Escalation to Admin in Any Namespace
CyberSIXT Evidence Panel
Article by CyberSIXT