PatchSiren cyber security CVE debrief
CVE-2026-22822 External Secrets CVE debrief
CVE-2026-22822 is a critical vulnerability in External Secrets Operator, a Kubernetes component that injects secrets from third-party services. The `getSecretKey` template function, introduced in version 0.20.2, can fetch secrets across namespaces due to a roleBinding with the external-secrets controller, bypassing security mechanisms. This function was removed in version 1.2.0. As a workaround, use policy engines like Kubernetes, Kyverno, or OPA to prevent `getSecretKey` usage in ExternalSecret resources. The CVSS score for this vulnerability is 9.3, indicating critical severity. Affected versions are from 0.20.2 up to but not including 1.2.0.
- Vendor
- External Secrets
- Product
- External Secrets Operator
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-21
- Advisory updated
- 2026-06-30
Who should care
Users of External Secrets Operator, especially those managing sensitive data across multiple namespaces, should be aware of this vulnerability. Security teams and Kubernetes administrators must assess their exposure and take necessary actions to mitigate the risk. Given the critical severity and potential for unauthorized access to sensitive information, immediate attention is required.
Technical summary
The External Secrets Operator, used for injecting secrets from third-party services into Kubernetes, has a critical vulnerability (CVE-2026-22822) that allows for unauthorized access to secrets across namespaces. This is due to the `getSecretKey` template function, which was introduced in version 0.20.2 and removed in version 1.2.0. The function could bypass security mechanisms by leveraging the roleBinding of the external-secrets controller. The vulnerability has a CVSS score of 9.3, indicating critical severity. Affected versions range from 0.20.2 to before 1.2.0.
Defensive priority
High. Immediate action is required to mitigate the risk of unauthorized access to sensitive information.
Recommended defensive actions
- Upgrade External Secrets Operator to version 1.2.0 or later to remove the vulnerable `getSecretKey` function.
- Implement policy engines such as Kubernetes, Kyverno, Kubewarden, or OPA to restrict the usage of `getSecretKey` in ExternalSecret resources.
- Review and update roleBindings for the external-secrets controller to ensure proper namespace isolation.
- Monitor for any suspicious usage of the `getSecretKey` function in your environment.
- Perform a thorough inventory of affected systems and apply mitigations or patches as necessary.
Evidence notes
The CVE-2026-22822 vulnerability details were obtained from the NVD and associated sources. The External Secrets Operator's GitHub repository provides additional context, including the removal of the `getSecretKey` function in version 1.2.0 and workarounds for affected versions.
Official resources
-
CVE-2026-22822 CVE record
CVE.org
-
CVE-2026-22822 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Issue Tracking
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.