External Secrets Operator allows a Namespaced SecretStore that uses a CAProvider of type ConfigMap to resolve certificate authority material from a different namespace when the field caProvider.namespace is set. Because the operator does not enforce namespace isolation for this resolution, the vulnerability leads to unintended cross‑namespace access. The consequence is potential exposure of CA certificates that can be used as credential material, compromising confidentiality for any resource in the target namespace. This flaw is a form of broken access control (CWE‑285) and improper permission handling for system data (CWE‑668). The affected functionality is restricted to the CAProvider resolution logic; it does not provide full system compromise or privilege escalation, but it can be abused by any actor who can create or modify SecretStore resources.

Vendors: external‑secrets (External Secrets Operator). Product: External Secrets Operator. Versions affected: any release prior to 2.4.0; the issue is addressed in 2.4.0 and later.

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in CISA KEV. Because the flaw requires the ability to create or modify SecretStore and CAProvider objects, the attack vector is likely internal to a Kubernetes cluster and depends on sufficient RBAC permissions. Attackers who can provision such resources could read ConfigMap data in other namespaces and expose CA certificates. The risk is limited in scope but should be mitigated promptly by applying the fix.