CRITICAL🇵🇱 Wersja polska

CVE-2026-22822

CVSS 9.3v4.0pub. 2026-01-21upd. 2026-06-30

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.

CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • External Secrets Operator

    APP
    External-Secrets
    0.20.2 – 1.2.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2024-36540CRITICAL9.8PL ✓ten sam produkt

Nieprawidłowe uprawnienia w External Secrets Operator umożliwiają privilege escalation

CVE-2026-34984HIGH7.1ten sam produkt

External Secrets Operator reads information from a third-party service and automatically injects the values as...

CVE-2024-45041HIGH8.3ten sam produkt

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The ext...