CVE-2026-42875

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions External Secrets Operator versions prior to 2.4.0

Description Namespaced SecretStore resources using CAProvider with type ConfigMap could resolve CA material from a different namespace when the caProvider.namespace variable was set. This behavior bypassed the namespace boundary enforced for SecretStore-backed references in providers relying on the shared runtime CA resolver. While the accessible data is used for CA validation and not directly exposed, this leads to a trust-boundary violation where a tenant can force its SecretStore to consume CA material owned by another namespace. Additionally, it allows for existence disclosure, enabling an attacker to infer if a specific target ConfigMap or key exists in another namespace.

Recommendations Update to version 2.4.0.

Fix

Improper Authorization

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-668

Related Identifiers

CVE-2026-42875

GHSA-WV26-88M5-6H59

Affected Products

External Secrets Operator

CVE-2026-42875

Weakness Enumeration

Related Identifiers

Affected Products

References · 4