GHSA-77V3-R3JW-J2V2

Vulnerability from github – Published: 2026-01-20 16:37 – Updated: 2026-01-22 15:38
VLAI?
Summary
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
Details

Summary

The getSecretKey template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms.

This function was completely removed, as everything done with that templating function can be done in a different way while respecting our safeguards (for example, using sourceRef like explained here: https://github.com/external-secrets/external-secrets/issues/5690#issuecomment-3630977865)

Impact

  • Cross-namespace secret access: Attackers or misconfigured resources could retrieve secrets from namespaces other than the one intended.
  • privilege escalation: Unauthorized access to secrets could lead to privilege escalation, data exfiltration, or compromise of service accounts and credentials.

Resolution

We removed the incriminated templating function from our codebase. All users should upgrade to the latest version containing this fix.

Workarounds

Use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of getSecretKey in any ExternalSecret resource.

Details

See also: - https://github.com/external-secrets/external-secrets/issues/5690 - https://github.com/external-secrets/external-secrets/pull/3895

Severity ?
9.3 (Critical)
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/external-secrets/external-secrets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.20.2"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22822"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T16:37:18Z",
    "nvd_published_at": "2026-01-21T22:15:49Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms.\n\nThis function was completely removed, as everything done with that templating function can be done in a different way while respecting our safeguards (for example, using `sourceRef` like explained here: https://github.com/external-secrets/external-secrets/issues/5690#issuecomment-3630977865)\n\n### Impact\n- Cross-namespace secret access: Attackers or misconfigured resources could retrieve secrets from namespaces other than the one intended.\n- privilege escalation: Unauthorized access to secrets could lead to privilege escalation, data exfiltration, or compromise of service accounts and credentials.\n\n### Resolution\n\nWe removed the incriminated templating function from our codebase. All users should upgrade to the latest version containing this fix.\n\n### Workarounds\n\nUse a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.\n\n### Details\n\nSee also:\n- https://github.com/external-secrets/external-secrets/issues/5690\n- https://github.com/external-secrets/external-secrets/pull/3895",
  "id": "GHSA-77v3-r3jw-j2v2",
  "modified": "2026-01-22T15:38:48Z",
  "published": "2026-01-20T16:37:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22822"
    },
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/issues/5690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/pull/3895"
    },
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf8515a95ec06ec92b1feb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/external-secrets/external-secrets"
    },
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.