Executive Summary

CVE-2026-34984 is a high-severity confidentiality vulnerability in the External Secrets Operator (ESO) versions 2.2.0 and below. The vulnerability exists in the v2 template engine where the function getHostByName remains accessible to user-controlled templates, even though other potentially dangerous functions like env and expandenv are removed.

Since ESO executes these templates within its controller process, an attacker who can create or update templated ExternalSecret resources can exploit getHostByName to perform DNS lookups that include secret-derived values. This creates a DNS exfiltration channel, allowing sensitive secret data to be leaked via DNS queries without requiring direct outbound network access from the attacker's workload.

This vulnerability mainly impacts environments where untrusted or lower-trust users can author ExternalSecret templates and where the controller has DNS resolution capabilities. The issue was fixed in version 2.3.0 by removing the getHostByName function from the template functions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a confidentiality breach by allowing attackers to exfiltrate secret information via DNS queries. Attackers do not need direct outbound network access from their workload to leak sensitive data, making it easier to bypass network restrictions.

If an attacker can create or modify templated ExternalSecret resources, they can leverage the getHostByName function to perform DNS lookups that encode secret material, effectively leaking it outside the environment.

This risk is especially significant in environments where untrusted or lower-trust users have the ability to author ExternalSecret templates and where the controller has DNS resolution capabilities.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the External Secrets Operator (ESO) executing user-controlled templates that can invoke DNS lookups via the getHostByName function, potentially leaking secret data through DNS queries.

Detection can focus on monitoring DNS queries originating from the ESO controller process for unusual or suspicious patterns that may indicate exfiltration attempts.

Additionally, inspecting templated ExternalSecret resources for the presence of templates that use the getHostByName function or other suspicious template constructs can help identify exploitation attempts.

Specific commands are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the External Secrets Operator to version 2.3.0 or later, where the getHostByName function has been removed from the template function map, eliminating the DNS exfiltration vector.

Until the upgrade can be performed, restrict the ability of untrusted or lower-trust users to create or modify templated ExternalSecret resources, as this capability is required to exploit the vulnerability.

Also, consider limiting the DNS resolution capabilities of the ESO controller process if possible, to reduce the risk of DNS-based data exfiltration.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability creates a confidentiality issue by allowing secret material to be exfiltrated via DNS queries without requiring direct outbound network access from the attacker’s workload.

Such a confidentiality breach can impact compliance with data protection standards and regulations like GDPR and HIPAA, which mandate the protection of sensitive information and prevention of unauthorized data disclosure.

Environments where untrusted or lower-trust users can author templated ExternalSecret resources and where the controller has DNS resolution capability are particularly at risk, increasing the likelihood of sensitive data leakage.

Useful 0 Not Useful 0