How severe is GHSA-qr4g-8hrp-c4rw?

GHSA-qr4g-8hrp-c4rw has a CVSS score of 7.7/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-qr4g-8hrp-c4rw?

GHSA-qr4g-8hrp-c4rw affects the following packages: github.com/kyverno/kyverno (Go). Ecosystems affected: Go.

How do I fix GHSA-qr4g-8hrp-c4rw?

No patched version of github.com/kyverno/kyverno has shipped for GHSA-qr4g-8hrp-c4rw yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.

How do I detect GHSA-qr4g-8hrp-c4rw in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/kyverno/kyverno. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-qr4g-8hrp-c4rw if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-qr4g-8hrp-c4rw?

O3 pinpoints whether GHSA-qr4g-8hrp-c4rw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-qr4g-8hrp-c4rw actively exploited in the wild?

No public exploit code has been indexed for GHSA-qr4g-8hrp-c4rw yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-qr4g-8hrp-c4rw published, and has it been updated?

GHSA-qr4g-8hrp-c4rw was published on April 14, 2026 and was last updated on April 26, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-qr4g-8hrp-c4rw

HIGH

Kyverno has unrestricted outbound requests in Kyverno apiCall enabling SSRF

Published

Apr 14, 2026

Updated

Apr 26, 2026

Affected

1 pkg

Patched

None yet

Exploits

None indexed

Blast Radius

1 pkg affected

🐹github.com/kyverno/kyverno

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Kyverno allows authenticated users to induce the admission controller to send arbitrary HTTP requests to attacker-controlled endpoints.

When a ClusterPolicy uses apiCall.service.url with variable substitution (e.g. {{request.object.*}}), user-controlled input can influence the request target. The Kyverno admission controller executes these requests from its privileged network position without enforcing any validation or network restrictions.

The issue becomes non-blind SSRF, as response data from internal services can be reflected back to the user via admission error messages.

Details

Kyverno supports variable substitution in apiCall.service.url, a documented feature intended to enable dynamic external lookups during admission control.

However, the current implementation lacks fundamental safeguards in the HTTP execution path:

Missing protections

No URL validation
User-controlled input is directly embedded into the request URL without validation or normalization.
No IP filtering
Requests can target:
- Loopback (127.0.0.1)
- Link-local (169.254.0.0/16)
- Cloud metadata services (e.g. AWS IMDS)
- Internal ClusterIP services
Redirect handling not restricted
The Go HTTP client uses default redirect behavior (CheckRedirect == nil), allowing up to 10 redirects without re-validation of the target.
Response data reflection in admission errors
Response bodies are propagated back to the user in admission responses under certain conditions.

Non-blind SSRF behavior

The vulnerability is non-blind through two mechanisms:

Non-2xx responses
Response body is returned in admission error messages (e.g. executor.go:98-101)
2xx responses with non-JSON content
Parsing failures (JSON/JMESPath) include response snippets in error output

This allows attackers to retrieve data from internal services directly via kubectl output.

PoC

Preconditions

A ClusterPolicy using:

apiCall:
  service:
    url: "http://{{ request.object.metadata.annotations.target }}"

An authenticated user able to create matching resources (e.g. Pods)

Step 1 — Create malicious resource

apiVersion: v1
kind: Pod
metadata:
  name: ssrf-test
  annotations:
    target: "169.254.169.254/latest/meta-data/iam/security-credentials/"
spec:
  containers:
  - name: test
    image: nginx

Step 2 — Apply resource

kubectl apply -f pod.yaml

Step 3 — Observe output

Example output:

Error from server: admission webhook "kyverno" denied the request:
failed to process apiCall: <response body from metadata service>

Variations

Internal services: http://kubernetes.default.svc
Loopback: http://127.0.0.1:8080
Redirect chains to bypass naive filters

Impact

Vulnerability class

Server-Side Request Forgery (SSRF)
Non-blind data exfiltration

Affected scope

Kubernetes clusters using Kyverno policies with apiCall.service.url and variable substitution

Impact details

Access to internal services (ClusterIP, localhost)
Access to cloud metadata endpoints (e.g. IMDSv1 → credential exposure)
Internal network reconnaissance
Multi-tenant boundary weakening

This issue can be combined with automatic ServiceAccount token forwarding (reported separately) to form a critical attack chain.

Affected Packages

1 total

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/kyverno/kyverno`	all versions	No fix

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/kyverno/kyverno. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of github.com/kyverno/kyverno has shipped for GHSA-qr4g-8hrp-c4rw yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-qr4g-8hrp-c4rw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-qr4g-8hrp-c4rw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary A Server-Side Request Forgery (SSRF) vulnerability in Kyverno allows authenticated users to induce the admission controller to send arbitrary HTTP requests to attacker-controlled endpoints. When a `ClusterPolicy` uses `apiCall.service.url` with variable substitution (e.g. `{{request.object.*}}`), user-controlled input can influence the request target. The Kyverno admission controller executes these requests from its privileged network position without enforcing any validation or network restrictions. The issue becomes **non-blind SSRF**, as response data from internal services ca

O3 Security · Impact-Aware SCA

Is GHSA-qr4g-8hrp-c4rw in your dependencies?

O3 detects GHSA-qr4g-8hrp-c4rw across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works