CVE-2025-29781

Name of the Vulnerable Software and Affected Versions Bare Metal Operator versions prior to 0.8.1 Bare Metal Operator versions prior to 0.9.1

Description The issue allows an adversary with namespace-level roles to create a BMCEventSubscription and load Secrets from unauthorized namespaces, causing Secret leakage. This is possible due to the Bare Metal Operator's ability to load Secrets from arbitrary namespaces upon deployment of the namespace-scoped Custom Resource BMCEventSubscription. The problem is resolved by making the Bare Metal Operator refuse to read Secrets from other namespaces than where the corresponding BMH resource is.

Recommendations For versions prior to 0.8.1 and 0.9.1, upgrade to the patched BMO version. Before upgrading, duplicate any existing Secret pointed to by BMCEventSubscription's httpHeadersRef to the same namespace where the corresponding BMH exists. After the upgrade, remove the old Secrets. As a temporary workaround, consider configuring BMO RBAC to be namespace scoped instead of cluster scoped to prevent BMO from accessing Secrets from other namespaces. Alternatively, use the WATCH NAMESPACE configuration option to limit BMO to a single namespace.