Skip to main content

External Secrets Operator CVE-2026-42875

MEDIUM
Improper Authorization (CWE-285)
2026-05-05 https://github.com/external-secrets/external-secrets
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 11, 2026 - 20:37 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
May 05, 2026 - 19:31 vuln.today
Analysis Generated
May 05, 2026 - 19:31 vuln.today

DescriptionGitHub Advisory

Impact

Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver.

The accessible data is used as CA validation material, hence it is not directly exposed.

Impact:

  • Direct data exfiltration risk: low
  • Existence disclosure: an attacker can infer whether a target ConfigMap/key exists in another namespace.
  • Trust-boundary violation: a tenant can make its SecretStore consume CA material owned by another namespace.

AnalysisAI

External Secrets Operator versions prior to 2.4.0 allow namespace isolation bypass when SecretStore resources use CAProvider with ConfigMap type and caProvider.namespace is set, enabling attackers to read CA material from ConfigMaps in other namespaces and infer the existence of sensitive resources across namespace boundaries. This violates multi-tenant trust boundaries in Kubernetes clusters by allowing one tenant to consume CA validation material owned by another namespace.

Technical ContextAI

External Secrets Operator is a Kubernetes controller that integrates external secret management systems (e.g., HashiCorp Vault, AWS Secrets Manager) with Kubernetes native Secret resources. The vulnerability exists in the CAProvider feature when configured with type ConfigMap, which resolves certificate authority material for TLS validation. The shared runtime CA resolver enforces namespace boundaries for SecretStore-backed references, but the caProvider.namespace parameter was not properly validated, allowing cross-namespace ConfigMap resolution. This affects the Go package github.com/external-secrets/external-secrets (CPE: pkg:go/github.com/external-secrets/external-secrets). The root cause is improper namespace isolation (CWE-285: Improper Authorization), where the authorization check for cross-namespace resource access was insufficient.

RemediationAI

Upgrade External Secrets Operator to version 2.4.0 or later immediately. This is the vendor-released patch that resolves the namespace isolation bypass. For Helm deployments, update the chart version to one shipping operator version 2.4.0+; for manual deployments, rebuild and redeploy the operator container image with the patched Go module. No workarounds are available for earlier versions - the vulnerability requires code-level fixes to properly enforce namespace authorization in CAProvider resolution. As a temporary compensating control pending upgrade, restrict RBAC permissions for SecretStore resources by disabling cross-namespace ConfigMap reference permissions in your Kubernetes cluster policies, though this may impact legitimate CA provider functionality. Test the upgrade in a staging environment first to ensure no breaking changes affect your SecretStore configurations. References: https://github.com/external-secrets/external-secrets/security/advisories/GHSA-wv26-88m5-6h59 and https://github.com/advisories/GHSA-wv26-88m5-6h59.

Share

CVE-2026-42875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy