CRITICAL
External Secrets
CVE published 2026-01-21
CVE-2026-22822
CVE-2026-22822 is a critical vulnerability in External Secrets Operator, a Kubernetes component that injects secrets from third-party services. The `getSecretKey` template function, introduced in version 0.20.2, can fetch secrets across namespaces due to a roleBinding with the external-secrets controller, bypassing security mechanisms. This function was removed in version 1.2.0. As a workaround, use polic [truncated]