Skip to main content

CVE-2026-34984

| EUVDEUVD-2026-22190 HIGH
Information Exposure (CWE-200)
2026-04-13 https://github.com/external-secrets/external-secrets GHSA-r2pg-r6h7-crf3
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
CVSS changed
Apr 14, 2026 - 03:22 NVD
7.1 (HIGH)
Analysis Generated
Apr 13, 2026 - 17:15 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 16:45 euvd
EUVD-2026-22190
Analysis Generated
Apr 13, 2026 - 16:45 vuln.today
Patch released
Apr 13, 2026 - 16:45 nvd
Patch available
CVE Published
Apr 13, 2026 - 16:36 nvd
HIGH 7.1

DescriptionGitHub Advisory

Summary

The v2 template engine in runtime/template/v2/template.go imports Sprig’s TxtFuncMap() and removes env and expandenv, but leaves getHostByName available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or update templated ExternalSecret resources can trigger controller-side DNS lookups using secret-derived values, creating a DNS exfiltration primitive.

Impact

This is a confidentiality issue. In environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller can perform DNS resolution, fetched secret material can be exfiltrated through DNS without requiring direct outbound access from the attacker’s workload.

AnalysisAI

DNS exfiltration in External Secrets Operator (ESO) allows authenticated Kubernetes users with ExternalSecret write permissions to leak secret material through controller-side DNS queries. The v2 template engine exposes Sprig's getHostByName function to user-controlled templates, enabling attackers to encode fetched secrets into DNS lookups performed by the ESO controller process. Patch available in v2.3.0 (commit 6800989b). No public exploit code identified at time of analysis, though the attack primitive is straightforward for actors with the requisite Kubernetes RBAC permissions.

Technical ContextAI

External Secrets Operator is a Kubernetes controller that synchronizes secrets from external secret management systems (Vault, AWS Secrets Manager, etc.) into Kubernetes Secret objects. The v2 template engine (runtime/template/v2/template.go) uses Go's text/template with Sprig's TxtFuncMap helper functions to allow users to transform secret data. While ESO's implementation removes dangerous functions like env and expandenv, it retains getHostByName-a Sprig function that performs DNS resolution. Because template rendering occurs server-side within the controller pod (not in user workloads), this creates a confused deputy scenario: the controller can be tricked into performing DNS queries on behalf of the attacker. The root cause maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), specifically through a side-channel DNS exfiltration vector. The Go package identifier pkg:go/github.com_external-secrets_external-secrets confirms this affects the core ESO controller codebase.

RemediationAI

Vendor-released patch: upgrade to External Secrets Operator v2.3.0 or later, which removes the getHostByName function from the available template function map (fixed in commit 6800989bdc12782ca2605d3b8bf7f2876a16551a). Download the patched release from https://github.com/external-secrets/external-secrets/releases/tag/v2.3.0 and follow the project's standard upgrade procedures. As a temporary workaround, restrict RBAC permissions for ExternalSecret resources to only highly trusted users and enable comprehensive DNS query logging from the ESO controller pod to detect potential exfiltration attempts. Review existing ExternalSecret manifests for suspicious use of template functions, particularly any getHostByName invocations with secret-derived arguments. Full advisory and patch details are available at https://github.com/external-secrets/external-secrets/security/advisories/GHSA-r2pg-r6h7-crf3.

Vendor StatusVendor

Share

CVE-2026-34984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy