LiveActive security incident?Get immediate response
CVE Record

CVE-2026-22822: External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.

CriticalCVSS 9.3Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

A Kubernetes user with limited privileges could use External Secrets Operator templating to retrieve secrets across namespaces. That can expose or alter sensitive application secrets beyond the user’s intended access. The issue is critical for clusters using affected External Secrets Operator versions and shared controller permissions.

Executive priority

Treat as urgent if External Secrets Operator is deployed in production or multi-tenant Kubernetes clusters. The issue can undermine namespace boundaries for secrets, creating credential exposure risk. Prioritize upgrade and policy enforcement before routine backlog work.

Technical view

External Secrets Operator versions 0.20.2 through before 1.2.0 include the getSecretKey template function. Sources say it can fetch cross-namespace secrets using the external-secrets controller roleBinding, bypassing ESO safeguards. Version 1.2.0 removed the function. The CVE is CWE-863 with CVSS 4.0 score 9.3.

Likely exposure

Exposure is likely in Kubernetes clusters running External Secrets Operator >=0.20.2 and <1.2.0, particularly where users can create or update ExternalSecret resources. Cross-namespace impact depends on controller permissions and whether getSecretKey appears in templates.

Exploitation context

The source bundle does not report active exploitation, and KEV is false. The CVSS vector indicates local access, low complexity, low privileges, and no user interaction. Practical abuse appears to require permission to influence ExternalSecret resources using the vulnerable template function.

Researcher notes

Evidence identifies authorization bypass through a removed template function, not a public exploit. Validate exposure through ESO version, ExternalSecret template content, and controller RBAC. Avoid assuming senhasegura-only impact; sources say the function was introduced for that provider but describe broader cross-namespace secret retrieval capability.

Mitigation direction

  • Upgrade External Secrets Operator to version 1.2.0 or later.
  • Remove or replace any getSecretKey usage in ExternalSecret templates.
  • Use Kubernetes, Kyverno, Kubewarden, or OPA policy to block getSecretKey.
  • Check vendor and distribution guidance for packaged fixes or VEX status.
  • Limit ExternalSecret authoring rights while remediation is in progress.

Validation and detection

  • Inventory External Secrets Operator versions across clusters.
  • Search ExternalSecret resources and manifests for getSecretKey references.
  • Confirm admission policy blocks new getSecretKey usage.
  • Review controller roleBinding scope for cross-namespace secret access.
  • Verify ESO 1.2.0 or later is deployed after upgrade.
Prepared
Confidence
high
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-863: Authorization and privilege behavior lookup

Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-22822 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.3 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.3CVSS 4.0CriticalCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HGitHub_M
8.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H26redhat-SADP

Vulnerability scoring details

Base CVSS 4.0 score

9.3Critical
CVSS 4.0 vector shape for CVE-2026-22822Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPexternal-secrets: External Secrets Operator: Cross-Namespace Secret Disclosure via `getSecretKey` Function
other:Red Hat severity ratingcvssV3_1
  • 2026-01-21T22:01:44.507Z: Reported to Red Hat.
  • 2026-01-21T21:22:05.249Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
external-secretsexternal-secrets>= 0.20.2, < 1.2.0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-863 · source CWE mapping

Incorrect Authorization

Incorrect Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.