Skip to main content

External Secrets Operator

3 CVEs product

Monthly

CVE-2026-22822 Go CRITICAL PATCH Act Now

Cross-namespace secret disclosure in External Secrets Operator (versions 0.20.2 through 1.1.x) lets a low-privileged tenant who can author ExternalSecret resources abuse the `getSecretKey` template function to fetch secrets from other namespaces using the controller's own roleBinding, bypassing the operator's namespace-isolation safeguards. The function - originally added for the senhasegura DSM provider - was removed entirely in 1.2.0. There is no public exploit identified at time of analysis and EPSS is negligible (0.01%), but the authorization-bypass primitive is straightforward for any tenant with ExternalSecret create rights.

Kubernetes External Secrets Operator Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2024-45041 Go HIGH PATCH This Week

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Kubernetes External Secrets Operator
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-36540 CRITICAL Act Now

Insecure permissions in external-secrets v0.9.16 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure External Secrets Operator
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Cross-namespace secret disclosure in External Secrets Operator (versions 0.20.2 through 1.1.x) lets a low-privileged tenant who can author ExternalSecret resources abuse the `getSecretKey` template function to fetch secrets from other namespaces using the controller's own roleBinding, bypassing the operator's namespace-isolation safeguards. The function - originally added for the senhasegura DSM provider - was removed entirely in 1.2.0. There is no public exploit identified at time of analysis and EPSS is negligible (0.01%), but the authorization-bypass primitive is straightforward for any tenant with ExternalSecret create rights.

Kubernetes External Secrets Operator Authentication Bypass
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Kubernetes External Secrets Operator
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Insecure permissions in external-secrets v0.9.16 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure External Secrets Operator
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy