CVE-2026-22822: External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.
Security readout for executives and security teams
Plain-English summary
A Kubernetes user with limited privileges could use External Secrets Operator templating to retrieve secrets across namespaces. That can expose or alter sensitive application secrets beyond the user’s intended access. The issue is critical for clusters using affected External Secrets Operator versions and shared controller permissions.
Executive priority
Treat as urgent if External Secrets Operator is deployed in production or multi-tenant Kubernetes clusters. The issue can undermine namespace boundaries for secrets, creating credential exposure risk. Prioritize upgrade and policy enforcement before routine backlog work.
Technical view
External Secrets Operator versions 0.20.2 through before 1.2.0 include the getSecretKey template function. Sources say it can fetch cross-namespace secrets using the external-secrets controller roleBinding, bypassing ESO safeguards. Version 1.2.0 removed the function. The CVE is CWE-863 with CVSS 4.0 score 9.3.
Likely exposure
Exposure is likely in Kubernetes clusters running External Secrets Operator >=0.20.2 and <1.2.0, particularly where users can create or update ExternalSecret resources. Cross-namespace impact depends on controller permissions and whether getSecretKey appears in templates.
Exploitation context
The source bundle does not report active exploitation, and KEV is false. The CVSS vector indicates local access, low complexity, low privileges, and no user interaction. Practical abuse appears to require permission to influence ExternalSecret resources using the vulnerable template function.
Researcher notes
Evidence identifies authorization bypass through a removed template function, not a public exploit. Validate exposure through ESO version, ExternalSecret template content, and controller RBAC. Avoid assuming senhasegura-only impact; sources say the function was introduced for that provider but describe broader cross-namespace secret retrieval capability.
Mitigation direction
Upgrade External Secrets Operator to version 1.2.0 or later.
Remove or replace any getSecretKey usage in ExternalSecret templates.
Use Kubernetes, Kyverno, Kubewarden, or OPA policy to block getSecretKey.
Check vendor and distribution guidance for packaged fixes or VEX status.
Limit ExternalSecret authoring rights while remediation is in progress.
Validation and detection
Inventory External Secrets Operator versions across clusters.
Search ExternalSecret resources and manifests for getSecretKey references.
Confirm admission policy blocks new getSecretKey usage.
Review controller roleBinding scope for cross-namespace secret access.
Verify ESO 1.2.0 or later is deployed after upgrade.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-863: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
2ADP providers
9Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-863 · source CWE mapping
Incorrect Authorization
Incorrect Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.