If the compromised instance has high-level permissions, the attacker can pivot to control your entire cloud infrastructure. Kyverno SSRF Vulnerability (CVE-2026-4789) | Orca Security
"access_token": "eyJ0eX...", "refresh_token": "", "expires_in": "3599", "expires_on": "1506485098", "not_before": "1506484198", "resource": "https://azure.com", "token_type": "Bearer" Use code with caution. Security Considerations and Risks If the compromised instance has high-level permissions, the
# Get an access token for Azure Key Vault vaultToken=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true -s | jq -r .access_token) # Use the token to access a secret curl -X GET -H "Authorization: Bearer $vaultToken" -H "Content-Type: application/json" https://azure.net Use code with caution. If an attacker successfully extracts the OAuth token
If an attacker successfully extracts the OAuth token via this SSRF technique, the security boundary of the entire cloud ecosystem is broken. The consequences are severe: If the compromised instance has high-level permissions, the
# Resolve hostname to IPs (watch for DNS rebinding) try: import socket ip_list = socket.getaddrinfo(hostname, None, socket.AF_UNSPEC, socket.SOCK_STREAM) for addr in ip_list: ip = ipaddress.ip_address(addr[4][0]) if ip.is_private or ip.is_loopback or ip.is_link_local: return False except socket.gaierror: return False
To understand why this string appears in security logs, it is necessary to examine its three separate components:
Dock Society © 2026
