CVE-2026-22822

Name of the Vulnerable Software and Affected Versions External Secrets Operator versions 0.20.2 through 1.2.0

Description The External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the getSecretKey template function could be used to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing security mechanisms. This function was removed in version 1.2.0. The issue allows cross-namespace secret access, potentially leading to privilege escalation, data exfiltration, or compromise of service accounts and credentials. The getSecretKey function takes parameters such as a-secret-name, another-namespace, and a-key to specify the secret to retrieve.

Recommendations Upgrade to External Secrets Operator version 1.2.0 or later. As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of getSecretKey in any ExternalSecret resource.