External Secrets Operator

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest

CVE-2026-22822 HIGH PATCH This Week

External Secrets Operator versions 0.20.2 through 1.1.x contain an authorization bypass in the getSecretKey template function that allows authenticated users to retrieve secrets across namespace boundaries, circumventing intended access controls. An attacker with local Kubernetes access could exploit this to exfiltrate sensitive data managed by the operator outside their authorized namespace. The vulnerability has been patched in version 1.2.0 where the function was completely removed.

Kubernetes External Secrets Operator Redhat Suse

NVD GitHub

CVSS 3.1

8.8

EPSS

0.0%

CVE-2026-22822

EPSS 0% CVSS 8.8

HIGH PATCH This Week

External Secrets Operator versions 0.20.2 through 1.1.x contain an authorization bypass in the getSecretKey template function that allows authenticated users to retrieve secrets across namespace boundaries, circumventing intended access controls. An attacker with local Kubernetes access could exploit this to exfiltrate sensitive data managed by the operator outside their authorized namespace. The vulnerability has been patched in version 1.2.0 where the function was completely removed.

Kubernetes External Secrets Operator Redhat +1

NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy