Skip to content

External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore

Low severity GitHub Reviewed Published Apr 24, 2026 in external-secrets/external-secrets • Updated May 5, 2026

Package

gomod github.com/external-secrets/external-secrets (Go)

Affected versions

< 2.4.0

Patched versions

2.4.0

Description

Impact

Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set.
This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver.

The accessible data is used as CA validation material, hence it is not directly exposed.

Impact:

  • Direct data exfiltration risk: low
  • Existence disclosure: an attacker can infer whether a target ConfigMap/key exists in another namespace.
  • Trust-boundary violation: a tenant can make its SecretStore consume CA material owned by another namespace.

References

@moolen moolen published to external-secrets/external-secrets Apr 24, 2026
Published to the GitHub Advisory Database May 5, 2026
Reviewed May 5, 2026
Last updated May 5, 2026

Severity

Low

EPSS score

Weaknesses

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Learn more on MITRE.

CVE ID

CVE-2026-42875

GHSA ID

GHSA-wv26-88m5-6h59

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.