PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22822 External Secrets CVE debrief

CVE-2026-22822 is a critical vulnerability in External Secrets Operator, a Kubernetes component that injects secrets from third-party services. The `getSecretKey` template function, introduced in version 0.20.2, can fetch secrets across namespaces due to a roleBinding with the external-secrets controller, bypassing security mechanisms. This function was removed in version 1.2.0. As a workaround, use policy engines like Kubernetes, Kyverno, or OPA to prevent `getSecretKey` usage in ExternalSecret resources. The CVSS score for this vulnerability is 9.3, indicating critical severity. Affected versions are from 0.20.2 up to but not including 1.2.0.

Vendor
External Secrets
Product
External Secrets Operator
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-21
Original CVE updated
2026-06-30
Advisory published
2026-01-21
Advisory updated
2026-06-30

Who should care

Users of External Secrets Operator, especially those managing sensitive data across multiple namespaces, should be aware of this vulnerability. Security teams and Kubernetes administrators must assess their exposure and take necessary actions to mitigate the risk. Given the critical severity and potential for unauthorized access to sensitive information, immediate attention is required.

Technical summary

The External Secrets Operator, used for injecting secrets from third-party services into Kubernetes, has a critical vulnerability (CVE-2026-22822) that allows for unauthorized access to secrets across namespaces. This is due to the `getSecretKey` template function, which was introduced in version 0.20.2 and removed in version 1.2.0. The function could bypass security mechanisms by leveraging the roleBinding of the external-secrets controller. The vulnerability has a CVSS score of 9.3, indicating critical severity. Affected versions range from 0.20.2 to before 1.2.0.

Defensive priority

High. Immediate action is required to mitigate the risk of unauthorized access to sensitive information.

Recommended defensive actions

  • Upgrade External Secrets Operator to version 1.2.0 or later to remove the vulnerable `getSecretKey` function.
  • Implement policy engines such as Kubernetes, Kyverno, Kubewarden, or OPA to restrict the usage of `getSecretKey` in ExternalSecret resources.
  • Review and update roleBindings for the external-secrets controller to ensure proper namespace isolation.
  • Monitor for any suspicious usage of the `getSecretKey` function in your environment.
  • Perform a thorough inventory of affected systems and apply mitigations or patches as necessary.

Evidence notes

The CVE-2026-22822 vulnerability details were obtained from the NVD and associated sources. The External Secrets Operator's GitHub repository provides additional context, including the removal of the `getSecretKey` function in version 1.2.0 and workarounds for affected versions.

Official resources

This article is AI-assisted and based on the supplied source corpus.