External Secrets Operator CVE-2026-42876
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
ExternalSecrets allows users to craft Service Account tokens for misconfigured Service Accounts in namespaces the users have access to.
Impact
A user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the sepcified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type.
The problem is mitigated in severity by the fact that the user must have pre-existing permissions already at almost the same level as the escalation later gives. The attacker cannot use this method to gain access to more information without other things also being misconfigured in the ESO installation.
Patches
Disallow this combination including the bootstrap token secret type.
Workarounds
- Add admission control logic to prevent the use of Templates targeting undesired Types
- Remove Service Account Token generation via kube-controller-manager flags
- Restrict User RBAC on production clusters and sensitive namespaces
AnalysisAI
External Secrets Operator versions 0.1.0 through 2.4.0 allow authenticated users with ExternalSecret creation permissions to escalate privileges by crafting Service Account token templates that cause the operator to generate long-lived tokens for any service account in the namespace. An attacker can impersonate service accounts without requiring direct TokenRequest or Secret creation permissions, effectively bypassing RBAC controls. The attack requires the attacker already has ExternalSecret creation permissions and the cluster must have service account token generation enabled, limiting the practical scope to already-privileged users seeking lateral privilege expansion within a namespace.
Technical ContextAI
External Secrets Operator (ESO) is a Kubernetes controller that integrates external secret management systems with Kubernetes Secrets. The vulnerability exists in the ExternalSecret validation logic (externalsecret_validator.go). When a user creates an ExternalSecret resource with a template type of 'kubernetes.io/service-account-token' combined with either a ServiceAccountNameKey annotation or a TemplateFrom directive targeting annotations, the operator fails to validate and reject this privileged combination. Instead, it proceeds to create a Kubernetes Secret that Kubernetes automatically populates with a long-lived bearer token for the specified service account. This bypasses normal RBAC because the operator runs with elevated privileges and can create secrets and request tokens that the original user could not directly access. The root cause is insufficient input validation in the template specification processing, allowing users to leverage the operator's high privileges to generate tokens they otherwise lack permission to request. The fix adds explicit validation in validatePrivilegedTemplate() to reject service account token and bootstrap token template types when combined with dangerous annotations or templateFrom configurations.
RemediationAI
Upgrade External Secrets Operator to version 2.4.1 or later immediately. The patched version adds admission control validation that rejects ExternalSecret resources with SecretTypeServiceAccountToken or SecretTypeBootstrapToken templates combined with ServiceAccountNameKey annotations or TemplateFrom directives targeting annotations. If immediate upgrade is not possible, apply the following workarounds per vendor guidance: implement additional admission control logic (ValidatingWebhookConfiguration) to prevent use of Templates targeting dangerous secret types and annotations; disable Service Account Token generation on the kube-controller-manager by removing the '--service-account-signing-key' flag if token generation is not required; restrict RBAC permissions for ExternalSecret resource creation to only trusted roles (service account operators, cluster admins) and avoid granting ExternalSecret creation permissions to developers in namespaces containing highly privileged service accounts. Each workaround has trade-offs: custom admission control adds operational complexity and requires webhook availability; disabling token generation breaks legitimate token provisioning workflows; strict RBAC limits developer agility but is the most robust defense. Reference vendor patch at https://github.com/external-secrets/external-secrets/commit/4ddd240af7fe88725d9857b9a0c198073502e288 and release notes at https://github.com/external-secrets/external-secrets/releases/tag/v2.4.1.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fq7h-9x26-6j22