PT-2025-33101 · External Secrets · External Secrets Operator
Published
2025-08-13
·
Updated
2025-08-20
·
CVE-2025-55196
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
External Secrets Operator versions 0.15.0 through 0.19.1
Description:
A flaw was discovered in the External Secrets Operator where
List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions. An attacker with the ability to create or update PushSecret resources and control SecretStore configurations could exploit this to exfiltrate sensitive data from arbitrary namespaces, potentially leading to full disclosure of Kubernetes secrets, including credentials and tokens.Recommendations:
Update to version 0.19.2 or later to resolve this issue.
Restrict RBAC permissions so that only trusted service accounts can create or update
PushSecret and SecretStore resources.
Audit existing PushSecret and SecretStore resources to ensure they are controlled by trusted parties.Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
External Secrets Operator