PT-2026-3742 · Go · Github.Com/External-Secrets/External-Secrets

Publicado

2026-01-20

·

Atualizado

2026-01-20

CVSS v4.0

9.3

Crítica

VetorAV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

The getSecretKey template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms.
This function was completely removed, as everything done with that templating function can be done in a different way while respecting our safeguards (for example, using sourceRef like explained here: https://github.com/external-secrets/external-secrets/issues/5690#issuecomment-3630977865)

Impact

  • Cross-namespace secret access: Attackers or misconfigured resources could retrieve secrets from namespaces other than the one intended.
  • privilege escalation: Unauthorized access to secrets could lead to privilege escalation, data exfiltration, or compromise of service accounts and credentials.

Resolution

We removed the incriminated templating function from our codebase. All users should upgrade to the latest version containing this fix.

Workarounds

Use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of getSecretKey in any ExternalSecret resource.

Details

See also:

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863

Identificadores relacionados

GHSA-77V3-R3JW-J2V2

Produtos afetados

Github.Com/External-Secrets/External-Secrets