Description
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.
Published: 2026-01-21
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Secret Disclosure
Action: Patch Now
AI Analysis

Impact

External Secrets Operator allows an attacker to retrieve Kubernetes secrets from any namespace by leveraging the getSecretKey templating function. This function was intended for use with the senhasegura Devops Secrets Management provider but can also be abused to access secrets outside the authorized namespace. The vulnerability stems from a missing access control check (CWE‑863) and permits the execution of arbitrary secret retrieval across namespaces, resulting in a breach of confidentiality for secrets that should be isolated within their own namespace.

Affected Systems

The affected vendor is external‑secrets, and the product is the External Secrets Operator. Versions 0.20.2 through 1.1.x are vulnerable; the function was removed in version 1.2.0, so any deployment running a version prior to that release is impacted. No other vendors or products are mentioned in the CNA list.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity level, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector for exploitation is an internal attacker or a compromised component that can create or modify ExternalSecret resources; by embedding getSecretKey calls, the attacker can read secrets from namespaces they should not access. Mitigation requires local changes rather than external network exposure, so the threat is contained within the cluster environment.

Generated by OpenCVE AI on April 18, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the External Secrets Operator to version 1.2.0 or later, which removes the getSecretKey templating function entirely.
  • If an immediate upgrade is not feasible, deploy a policy engine such as Kyverno, Kubewarden, or OPA to enforce a rule that denies any ExternalSecret resource containing the getSecretKey function.
  • Review existing ExternalSecret manifests for getSecretKey usage and replace them with alternative secret retrieval methods that respect namespace boundaries.
  • Restrict the roleBinding granted to the External Secrets controller so that it cannot perform cross‑namespace secret retrieval; ensure it only has permissions for its own namespace.

Generated by OpenCVE AI on April 18, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-77v3-r3jw-j2v2 External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
History

Wed, 18 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared External-secrets external Secrets Operator
CPEs cpe:2.3:a:external-secrets:external_secrets_operator:*:*:*:*:*:*:*:*
Vendors & Products External-secrets external Secrets Operator

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared External-secrets
External-secrets external-secrets
Vendors & Products External-secrets
External-secrets external-secrets

Fri, 23 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.
Title External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

External-secrets External-secrets External Secrets Operator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:50:23.708Z

Reserved: 2026-01-09T22:50:10.289Z

Link: CVE-2026-22822

cve-icon Vulnrichment

Updated: 2026-01-22T15:10:58.931Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T22:15:49.380

Modified: 2026-02-18T15:29:01.850

Link: CVE-2026-22822

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-21T21:22:05Z

Links: CVE-2026-22822 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses