{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4789", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-03-24T20:03:13.388Z", "datePublished": "2026-03-30T20:44:00.607Z", "dateUpdated": "2026-04-01T18:43:50.952Z"}, "containers": {"cna": {"title": "CVE-2026-4789", "descriptions": [{"lang": "en", "value": "Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Kyverno", "product": "Kyverno", "versions": [{"status": "affected", "version": "1.16.0"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "references": [{"url": "https://github.com/kyverno/kyverno"}, {"url": "https://kb.cert.org/vuls/id/655822"}, {"url": "https://portswigger.net/web-security/ssrf"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4789"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-30T20:44:00.607Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/655822"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-30T21:18:08.577Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:43:09.447511Z", "id": "CVE-2026-4789", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:43:50.952Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/655822"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-30T21:18:08.577Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4789", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T18:43:09.447511Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:43:36.754Z"}}], "cna": {"title": "CVE-2026-4789", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Kyverno", "product": "Kyverno", "versions": [{"status": "affected", "version": "1.16.0"}]}], "references": [{"url": "https://github.com/kyverno/kyverno"}, {"url": "https://kb.cert.org/vuls/id/655822"}, {"url": "https://portswigger.net/web-security/ssrf"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4789"}, "descriptions": [{"lang": "en", "value": "Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-30T20:44:00.607Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4789", "state": "PUBLISHED", "dateUpdated": "2026-04-01T18:43:50.952Z", "dateReserved": "2026-03-24T20:03:13.388Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-03-30T20:44:00.607Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions."}, {"lang": "es", "value": "Kyverno, versiones 1.16.0 y posteriores, son vulnerables a SSRF debido a funciones HTTP CEL sin restricciones."}], "id": "CVE-2026-4789", "lastModified": "2026-04-01T19:16:34.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T21:17:10.843", "references": [{"source": "cret@cert.org", "url": "https://github.com/kyverno/kyverno"}, {"source": "cret@cert.org", "url": "https://kb.cert.org/vuls/id/655822"}, {"source": "cret@cert.org", "url": "https://portswigger.net/web-security/ssrf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/655822"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.16.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Kyverno", "source": "cna", "vendor": "Kyverno"}, "product": "kyverno", "vendor": "kyverno"}], "analysis": {"en": {"generated_at": "2026-03-31T06:00:00.433038+00:00", "value": {"mitigation_remediation": ["Upgrade Kyverno to the latest release that restricts CEL HTTP functions", "If an upgrade cannot be performed immediately, disable or remove CEL HTTP functions from policies or enforce policies that block them", "Verify that the cluster\u2019s network policies and firewall rules limit outbound traffic from the Kyverno pod to only necessary destinations"], "summary": {"action": "Patch", "impact": "Server-side request forgery (SSRF) leading to potential internal network exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Kyverno, the Kubernetes policy engine. All releases from 1.16.0 onward are impacted until a fix that limits or disables the CEL HTTP function is applied. No specific sub\u2011versions are excluded; any installation running an affected version is at risk.", "description_and_impact": "Kyverno versions 1.16.0 and later expose an SSRF flaw through unrestricted Common Expression Language (CEL) HTTP functions. An attacker who can influence or inject a CEL expression may cause the Kyverno controller to issue arbitrary HTTP requests to any IP address reachable from the cluster. This can lead to data exfiltration, discovery of internal services, or further lateral movement. The core weakness is an unchecked HTTP call capability embedded in policy evaluation, enabling malicious payloads to force requests to privileged internal endpoints.", "risk_and_exploitability": "Official risk scoring is not available, but the nature of SSRF implies that confidentiality and availability risks could be significant, especially in environments with open internal services. The lack of an EPSS value does not preclude exploitation; attackers can craft a policy that triggers the vulnerable function. Because the vulnerability relies on an input that an attacker can control (policy or admission review), the attack requires knowledge of Kyverno deployment, but once present it can be exploited with minimal effort. The vulnerability is not listed in the KEV catalog at this time."}}}}, "created": "2026-03-31T19:57:18.409816+00:00", "title": "Unrestricted CEL HTTP Functions Lead to SSRF in Kyverno 1.16.0+", "updated": "2026-03-31T20:40:02.875536+00:00", "vendors": ["kyverno", "kyverno$PRODUCT$kyverno"], "weaknesses": ["CWE-918"]}