CVE-2025-46342

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Kyverno versions prior to 1.13.5 and 1.14.0

Description The issue concerns a policy engine where policy rules using namespace selectors in their match statements may not be applied correctly due to a missing error propagation in the GetNamespaceSelectorsFromNamespaceLister function. This could allow attackers with K8s API access to perform malicious operations by bypassing security-critical mutations and validations.

Recommendations For versions prior to 1.13.5, update to version 1.13.5 or later. For versions prior to 1.14.0, update to version 1.14.0 or later. As a temporary workaround, consider restricting access to the K8s API to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1287

Related Identifiers

BIT-KYVERNO-2025-46342

CLEANSTART-2026-UQ68343

CLEANSTART-2026-WI71304

CVE-2025-46342

ECHO-A1D7-19DB-3D6B

GHSA-JRR2-X33P-6HVC

GO-2025-3652

OPENSUSE-SU-2025:15059-1

Affected Products

Kyverno

CVE-2025-46342

Weakness Enumeration

Related Identifiers

Affected Products

References · 73