External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
Summary
| CVE | CVE-2026-22822 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-21 22:15:49 UTC |
| Updated | 2026-06-30 03:17:28 UTC |
| Description | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource. |
Risk And Classification
Primary CVSS: v4.0 9.3 CRITICAL from [email protected]
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.001750000 probability, percentile 0.072160000 (date 2026-07-01)
Problem Types: CWE-863 | CWE-863 CWE-863: Incorrect Authorization | CWE-863 Incorrect Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 9.3 | CRITICAL | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | DECLARED | 9.3 | CRITICAL | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| 3.1 | [email protected] | Primary | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | External-secrets | External Secrets Operator | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | External-secrets | External-secrets | affected >= 0.20.2, < 1.2.0 | Not specified |
| ADP | Red Hat | External Secrets Operator For Red Hat OpenShift - Tech Preview | Not specified | Not specified |
| ADP | Red Hat | External Secrets Operator For Red Hat OpenShift | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/external-secrets/external-secrets/releases/tag/v1.2.0 | [email protected] | github.com | Product, Release Notes |
| github.com/external-secrets/external-secrets/issues/5690 | [email protected] | github.com | Issue Tracking |
| github.com/external-secrets/external-secrets/security/advisories/GHSA-77... | [email protected] | github.com | Vendor Advisory |
| access.redhat.com/security/cve/CVE-2026-22822 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22822.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/external-secrets/external-secrets/pull/3895 | [email protected] | github.com | Issue Tracking |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf... | [email protected] | github.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-01-21T22:01:44.507Z | Reported to Red Hat. |
| ADP | 2026-01-21T21:22:05.249Z | Made public. |
Workarounds
ADP: To mitigate this issue, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of the `getSecretKey` function within any `ExternalSecret` resource. This will block the vulnerable function from being exploited. Applying such policies may require restarting affected pods or services for the changes to take effect.