CVE-2026-55069

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computatio...

CVE-2026-46617

CVE-2026-46617 (Fission) affects Fission runtimes prior to v1.23.0. The runtime pod was created with ServiceAccountName: fission-fetcher, which had namespace-wide get permissions on secrets and configmaps. The automounted token was accessible inside user function containers at /var/run/secrets/ku...

CVE-2026-41184

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNTTOKEN placeholder Canal/Flannel-Calico deployments, the installer substitutes the live Kubernetes ServiceAccount bearer token before logging,...

CVE-2026-41184 ServiceAccount token disclosure via install-cni container logs

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNTTOKEN placeholder Canal/Flannel-Calico deployments, the installer substitutes the live Kubernetes ServiceAccount bearer token before logging,...

CVE-2026-41184 ServiceAccount token disclosure via install-cni container logs

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNTTOKEN placeholder Canal/Flannel-Calico deployments, the installer substitutes the live Kubernetes ServiceAccount bearer token before logging,...

CVE-2026-41185 ServiceAccount token disclosure via Azure IPAM CNI plugin logs

When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map stdinData at INFO level to...

CVE-2026-41184

In Calico, the install-cni init container logs the rendered CNI configuration and, when the template uses the SERVICEACCOUNT_TOKEN placeholder (Canal/Flannel-Calico deployments), substitutes the live Kubernetes ServiceAccount bearer token for logging. This exposes the token to any authenticated u...

PT-2026-44409

Name of the Vulnerable Software and Affected Versions Calico affected versions not specified Description The install-cni init container logs the rendered CNI configuration to standard output. In Canal or Flannel-Calico deployments where the configuration template uses the SERVICEACCOUNT TOKEN...

CVE-2026-41323 Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has n...

CVE-2026-41323

Summary of CVE-2026-41323 : Kyverno’s ClusterPolicy apiCall feature leaks the admission controller’s ServiceAccount token by attaching it to outgoing HTTP requests without validating the target URL. This allows tokens (e.g., for the kyverno-admission-controller) to be exfiltrated to attacker-cont...

CVE-2026-41323 Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has n...

BIT-KYVERNO-2026-40868 kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header...

CVE-2026-40868

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header...

CVE-2026-40868

Kyverno pre-1.16.4 apiCall serviceCall implicitly injects the Authorization: Bearer token from the kyverno serviceaccount when a policy omits an Authorization header. Since context.apiCall.service.url is policy-controlled, this can leak the serviceaccount token to attacker-controlled endpoints (c...

kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token

kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount tok...

PT-2026-33227

Name of the Vulnerable Software and Affected Versions Kyverno versions prior to 1.16.4 Description The apiCall servicecall helper implicitly injects an 'Authorization: Bearer ...' header using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization heade...

GHSA-J5Q5-J9GM-2W5C Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod

Summary The Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests e.g. by creating TaskRuns or PipelineRuns that use the git resolver can read arbitrary files from the resolver pod's filesystem, including...

EUVD-2025-9524

Malicious code in bioql PyPI...

GHSA-28GR-56HR-PRP6 Grafana Tempo Operator Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview...

CVE-2025-2786

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview...