CVE-2026-22822
Modified Modified - Updated After Analysis

Cross-Namespace Secret Access Vulnerability in External Secrets Operator

Vulnerability report for CVE-2026-22822, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-21

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-21
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-01-22
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
external-secrets external_secrets_operator From 0.20.2 (inc) to 1.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the External Secrets Operator versions starting from 0.20.2 up to but not including 1.2.0. The `getSecretKey` template function, originally introduced for the senhasegura Devops Secrets Management provider, can be exploited to fetch secrets across Kubernetes namespaces using the roleBinding of the external-secrets controller. This bypasses the intended security mechanisms, allowing unauthorized access to secrets. The function was removed in version 1.2.0 to prevent this issue, and alternative methods that respect security safeguards are recommended. As a workaround, policy engines like Kubernetes, Kyverno, Kubewarden, or OPA can be used to block the use of `getSecretKey` in any ExternalSecret resource.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive secrets across Kubernetes namespaces, potentially exposing confidential information. Attackers or unauthorized users could exploit the `getSecretKey` function to bypass security controls and retrieve secrets they should not have access to, which could compromise the security of applications and infrastructure relying on these secrets.

Detection Guidance

This vulnerability can be detected by checking for the usage of the `getSecretKey` template function in any ExternalSecret resource within your Kubernetes cluster. Since the vulnerability involves cross-namespace secret fetching via this function, inspecting ExternalSecret manifests or configurations for the presence of `getSecretKey` usage is key. There are no specific commands provided, but you can use kubectl to search for this function in ExternalSecret resources, for example: `kubectl get externalsecrets --all-namespaces -o yaml | grep getSecretKey`.

Mitigation Strategies

Immediate mitigation steps include upgrading the External Secrets Operator to version 1.2.0 or later, where the `getSecretKey` function has been completely removed. As a workaround, you can use a policy engine such as Kubernetes native policies, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource, thereby enforcing security safeguards until the upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22822. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart