PT-2026-3742 · Go · Github.Com/External-Secrets/External-Secrets

Published

2026-01-20

·

Updated

2026-01-20

CVSS v4.0

9.3

Critical

VectorAV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

The getSecretKey template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms.
This function was completely removed, as everything done with that templating function can be done in a different way while respecting our safeguards (for example, using sourceRef like explained here: https://github.com/external-secrets/external-secrets/issues/5690#issuecomment-3630977865)

Impact

  • Cross-namespace secret access: Attackers or misconfigured resources could retrieve secrets from namespaces other than the one intended.
  • privilege escalation: Unauthorized access to secrets could lead to privilege escalation, data exfiltration, or compromise of service accounts and credentials.

Resolution

We removed the incriminated templating function from our codebase. All users should upgrade to the latest version containing this fix.

Workarounds

Use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of getSecretKey in any ExternalSecret resource.

Details

See also:

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

GHSA-77V3-R3JW-J2V2

Affected Products

Github.Com/External-Secrets/External-Secrets