Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if the Bitnami Sealed Secrets rotate endpoint (/v1/rotate) is accessible and if sealed secrets are being rotated with the annotation sealedsecrets.bitnami.com/cluster-wide=true injected into the template metadata.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires high privileges to submit to the rotate endpoint, monitoring access logs for unusual or unauthorized requests to /v1/rotate can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'You can check for sealed secrets that have been rotated with cluster-wide scope by querying your Kubernetes cluster for SealedSecrets with the annotation sealedsecrets.bitnami.com/cluster-wide=true.'}, {'type': 'list_item', 'content': 'kubectl get sealedsecrets --all-namespaces -o json | jq \'.items[] | select(.spec.template.metadata.annotations."sealedsecrets.bitnami.com/cluster-wide"=="true")\''}, {'type': 'list_item', 'content': 'Monitor API server logs or proxy logs for POST requests to /v1/rotate endpoint.'}, {'type': 'list_item', 'content': 'Audit Kubernetes RBAC permissions to ensure only trusted users have access to the rotate endpoint.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Bitnami Sealed Secrets to version 0.36.0 or later, where the vulnerability is fixed by preserving the original sealing scope during rotation and preventing scope widening.

Until the upgrade is applied, restrict access to the /v1/rotate endpoint to only highly trusted users with necessary privileges.

Audit and tighten Kubernetes RBAC policies to limit who can submit requests to the rotate endpoint.

Monitor for any rotated sealed secrets that have the cluster-wide annotation and investigate any suspicious activity.

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-22728 is a vulnerability in Bitnami Sealed Secrets related to the secret rotation process at the /v1/rotate endpoint. During rotation, the sealing scope for the newly encrypted secret is derived from untrusted annotations in the input sealed secret's metadata. An attacker with high privileges can submit a victim's sealed secret with a manipulated annotation that sets the scope to cluster-wide."}, {'type': 'paragraph', 'content': "This manipulation causes the rotated secret to be re-encrypted with a cluster-wide scope instead of the original strict or namespace-wide scope. As a result, the attacker can unseal the rotated secret in any namespace or under any name, gaining access to the victim's plaintext secret and breaching confidentiality."}, {'type': 'paragraph', 'content': 'The root cause is improper access control where untrusted annotations are trusted to determine the sealing scope during rotation, enabling unauthorized scope escalation.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a confidentiality breach by allowing an attacker to escalate the scope of a sealed secret from a restricted namespace to cluster-wide access.

An attacker with high privileges can obtain a rotated secret that can be unsealed anywhere in the cluster, potentially exposing sensitive plaintext credentials that were intended to be confined to a specific namespace.

This could result in unauthorized access to sensitive information across the entire Kubernetes cluster, increasing the risk of data leakage and compromise of critical systems.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0