External Secrets Operator 0.20.2<1.2.0 getSecretKey Cross-NS Escalation
CVE-2026-22822 Published on January 21, 2026

External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.

NVD

Vulnerability Analysis

CVE-2026-22822 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2026-22822 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-22822

Want to know whenever a new CVE is published for Red Hat External Secrets Operator? stack.watch will email you.

Red Hat External Secrets Operator
 

Affected Versions

external-secrets: external secrets operator for Red Hat OpenShift - Tech Preview: External Secrets Operator for Red Hat OpenShift:

Exploit Probability

EPSS
0.17%
Percentile
7.03%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.