PatchSiren

External Secrets CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL External Secrets CVE published 2026-01-21

CVE-2026-22822

CVE-2026-22822 is a critical vulnerability in External Secrets Operator, a Kubernetes component that injects secrets from third-party services. The `getSecretKey` template function, introduced in version 0.20.2, can fetch secrets across namespaces due to a roleBinding with the external-secrets controller, bypassing security mechanisms. This function was removed in version 1.2.0. As a workaround, use polic [truncated]