Unknown · External Secrets Operator · CVE-2026-42876
**Name of the Vulnerable Software and Affected Versions**
External Secrets Operator versions prior to 2.4.1
**Description**
A user with permissions to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes automatically populates with a long-lived token for a specified service account. This allows the user to impersonate any service account within the namespace without requiring direct create permissions on TokenRequest or Secrets of that type.
**Recommendations**
Update to version 2.4.1.
Add admission control logic to prevent the use of Templates targeting undesired Types.
Remove Service Account Token generation via kube-controller-manager flags.
Restrict User RBAC on production clusters and sensitive namespaces.