External Secrets Operator CVE-2026-42876
MEDIUM
GHSA-fq7h-9x26-6j22
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
ExternalSecrets allows users to craft Service Account tokens for misconfigured Service Accounts in namespaces the users have access to.
Impact
A user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the sepcified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type.
The problem is mitigated in severity by the fact that the user must have pre-existing permissions already at almost the same level as the escalation later gives. The attacker cannot use this method to gain access to more information without other things also being misconfigured in the ESO installation.
Patches
Disallow this combination including the bootstrap token secret type.
Workarounds
- Add admission control logic to prevent the use of Templates targeting undesired Types
- Remove Service Account Token generation via kube-controller-manager flags
- Restrict User RBAC on production clusters and sensitive namespaces
AnalysisAI
External Secrets Operator versions 0.1.0 through 2.4.0 allow authenticated users with ExternalSecret creation permissions to escalate privileges by crafting Service Account token templates that cause the operator to generate long-lived tokens for any service account in the namespace. An attacker can impersonate service accounts without requiring direct TokenRequest or Secret creation permissions, effectively bypassing RBAC controls. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today