CVE-2025-55196
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-13

Last updated on: 2025-08-14

Assigner: GitHub, Inc.

Description
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions. An attacker with the ability to create or update PushSecret resources and control SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces. This could lead to full disclosure of Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster. This vulnerability has been patched in version 0.19.2. A workaround for this issue includes auditing and restricting RBAC permissions so that only trusted service accounts can create or update PushSecret and SecretStore resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-13
Last Modified
2025-08-14
Generated
2026-05-07
AI Q&A
2025-08-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-55196
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
external-secrets external-secrets 0.19.2
external-secrets external-secrets 0.15.0
external-secrets external-secrets 0.19.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade External Secrets Operator to version 0.19.2 or later where the issue is patched. As a workaround, audit and restrict RBAC permissions so that only trusted service accounts can create or update PushSecret and SecretStore resources.


Can you explain this vulnerability to me?

This vulnerability in External Secrets Operator versions 0.15.0 to before 0.19.2 allows an attacker to bypass namespace restrictions when listing Kubernetes Secret and SecretStore resources. The PushSecret controller's List() calls did not apply a namespace selector, enabling an attacker who can create or update PushSecret resources and control SecretStore configurations to use label selectors to list and read secrets across the entire cluster. This can lead to unauthorized access and exfiltration of sensitive data such as credentials and tokens stored in Kubernetes secrets.


How can this vulnerability impact me? :

If exploited, this vulnerability can lead to full disclosure of Kubernetes secrets across namespaces, exposing sensitive information like credentials, tokens, and other secret data. This could compromise the security of your Kubernetes cluster and any applications relying on these secrets, potentially leading to unauthorized access, data breaches, and further exploitation within your environment.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart