CVE-2025-62159

Name of the Vulnerable Software and Affected Versions External Secrets Operator versions 0.10.1 through 0.19.2

Description The External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A flaw exists in the BeyondTrust provider implementation where the provider previously retrieved Kubernetes secrets directly, without validating the namespace context or the type of secret store. This allowed unauthorized cross-namespace secret access, potentially exposing sensitive credentials. The issue was addressed in version 0.20.0 by using the resolvers.SecretKeyRef utility, which enforces namespace validation and restricts cross-namespace access to ClusterSecretStore types.

Recommendations Upgrade to External Secrets Operator version 0.20.0 or later. As a workaround, use a policy engine such as Kyverno or OPA to prevent using the BeyondTrust provider. As a workaround, validate the (Cluster)SecretStore and ensure the namespace may only be set when using a ClusterSecretStore.