Description
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig's TxtFuncMap() but leaves the getHostByName function accessible to user-controlled templates. Since ESO executes templates within the controller process, an attacker who can create or update templated ExternalSecret resources can invoke controller-side DNS lookups using secret-derived values. This creates a DNS exfiltration primitive, allowing fetched secret material to be leaked via DNS queries without requiring direct outbound network access from the attacker's workload. The impact is a confidentiality issue, particularly in environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller has DNS resolution capability. This issue has been fixed in version 2.3.0.
Published: 2026-04-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach via DNS exfiltration
Action: Apply Patch
AI Analysis

Impact

The vulnerability is caused by a remnant getHostByName function in the External Secrets Operator’s v2 template engine. Templates that administrators or authorized users create are executed inside the controller process, giving any attacker who can add or modify a templated ExternalSecret the ability to trigger DNS lookups. The attacker can embed secret‑derived data into the lookup target, causing the controller to query an external DNS server and thereby exfiltrate sensitive secret material. The core weakness aligns with the confidentiality category of this CVE and is identified as CWE‑200 and CWE‑94; the CVE record also lists NVD‑CWE‑noinfo, indicating no additional standard CWE classification.

Affected Systems

The issue affects the External Secrets Operator, specifically the external‑secrets:external‑secrets product. All releases up to and including 2.2.0 are vulnerable; the problem was resolved in version 2.3.0. Further version details are not provided beyond this upgrade point.

Risk and Exploitability

With a CVSS score of 7.1, the risk is considered moderate to high. The EPSS score of 0.00044 indicates a very low, but non‑zero, probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. If the attacker has permission to create or update templated ExternalSecret objects, DNS exfiltration can occur even when the attacker’s workload lacks outbound network connectivity, marking it a significant confidentiality threat in environments with less trusted users or unrestricted templated secret creation.

Generated by OpenCVE AI on April 27, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade External Secrets Operator to v2.3.0 or later
  • Restrict RBAC so that only trusted users can create or update templated ExternalSecret resources
  • Monitor DNS traffic from the External Secrets controller for unexpected lookups and review logs for anomalies

Generated by OpenCVE AI on April 27, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r2pg-r6h7-crf3 External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine
History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared External-secrets external Secrets Operator
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:external-secrets:external_secrets_operator:*:*:*:*:*:*:*:*
Vendors & Products External-secrets external Secrets Operator
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 15 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared External-secrets
External-secrets external-secrets
Vendors & Products External-secrets
External-secrets external-secrets

Tue, 14 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig's TxtFuncMap() but leaves the getHostByName function accessible to user-controlled templates. Since ESO executes templates within the controller process, an attacker who can create or update templated ExternalSecret resources can invoke controller-side DNS lookups using secret-derived values. This creates a DNS exfiltration primitive, allowing fetched secret material to be leaked via DNS queries without requiring direct outbound network access from the attacker's workload. The impact is a confidentiality issue, particularly in environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller has DNS resolution capability. This issue has been fixed in version 2.3.0.
Title External Secrets Operator has DNS exfiltration via getHostByName in its v2 template engine
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

External-secrets External-secrets External Secrets Operator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T16:27:55.720Z

Reserved: 2026-03-31T19:38:31.617Z

Link: CVE-2026-34984

cve-icon Vulnrichment

Updated: 2026-04-14T15:37:59.245Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T03:16:08.530

Modified: 2026-04-22T16:22:52.053

Link: CVE-2026-34984

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-14T01:48:41Z

Links: CVE-2026-34984 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:00:05Z

Weaknesses