CVE-2026-42876

Name of the Vulnerable Software and Affected Versions External Secrets Operator versions prior to 2.4.1

Description A user with permissions to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes automatically populates with a long-lived token for a specified service account. This allows the user to impersonate any service account within the namespace without requiring direct create permissions on TokenRequest or Secrets of that type.

Recommendations Update to version 2.4.1. Add admission control logic to prevent the use of Templates targeting undesired Types. Remove Service Account Token generation via kube-controller-manager flags. Restrict User RBAC on production clusters and sensitive namespaces.