Description
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the specified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type. This vulnerability is fixed in 2.4.1.
Published: 2026-05-11
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The External Secrets Operator automatically injects secrets into a cluster, and before version 2.4.1 a user with only the ability to create ExternalSecret resources could trigger the operator to create a Kubernetes Secret that contains a long‑lived token for any service account within the namespace. This bypasses normal token‑request permissions and allows the attacker to impersonate any service account, effectively escalating privileges. The weakness is an access‑control flaw identified as CWE‑285.

Affected Systems

The vulnerability afflicts the External Secrets Operator supplied by the external‑secrets project. All releases older than 2.4.1 are vulnerable; this includes any deployment of the operator in a Kubernetes cluster where users may create ExternalSecret objects in the namespace. The operator is typically installed in namespaces where the RBAC policy might allow ExternalSecret creation, so any such namespace is at risk.

Risk and Exploitability

The CVSS score of 4.9 reflects medium severity. No EPSS score is reported and the issue is not cataloged in CISA KEV. Based on the description, it is inferred that the attack vector is internal, contingent on the attacker having permission to create an ExternalSecret resource. Once that resource is created, the operator automatically generates a token for the chosen service account, enabling the attacker to impersonate that account and act with its permissions.

Generated by OpenCVE AI on May 11, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the External Secrets Operator to version 2.4.1 or later to eliminate the flaw.
  • Reevaluate and restrict the RBAC permissions that allow users to create ExternalSecret resources, limiting those rights to trusted namespaces or roles.
  • After upgrading, audit service‑account permissions and disable or limit automatic token generation if the functionality is not required.

Generated by OpenCVE AI on May 11, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fq7h-9x26-6j22 ExternalSecrets vulnerable to privilege escalation with secret overwriting
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared External-secrets
External-secrets external-secrets
Vendors & Products External-secrets
External-secrets external-secrets

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the specified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type. This vulnerability is fixed in 2.4.1.
Title External Secrets Operator: Priviledge escalation with secret overwriting
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

External-secrets External-secrets
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:26:21.683Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42876

cve-icon Vulnrichment

Updated: 2026-05-12T13:26:14.981Z

cve-icon NVD

Status : Received

Published: 2026-05-11T20:25:44.307

Modified: 2026-05-11T20:25:44.307

Link: CVE-2026-42876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T21:45:35Z

Weaknesses