CVE-2026-22822 – The External Secrets Operator's getSecretKey te... (How to Fix)

Q: What is the severity of CVE-2026-22822?

CVE-2026-22822 has a CVSS score of 8.8 (HIGH). The External Secrets Operator's getSecretKey template function allows cross-namespace secret retrieval, bypassing Kubernetes RBAC controls. This affects users of External Secrets Operator versions 0.20.2 through 1.1.x. Attackers with access to create ExternalSecret resources could potentially access secrets from unauthorized namespaces.

📋 TL;DR

The External Secrets Operator's getSecretKey template function allows cross-namespace secret retrieval, bypassing Kubernetes RBAC controls. This affects users of External Secrets Operator versions 0.20.2 through 1.1.x. Attackers with access to create ExternalSecret resources could potentially access secrets from unauthorized namespaces.

💻 Affected Systems

Products:

External Secrets Operator

Versions: 0.20.2 through 1.1.x (all versions before 1.2.0)

Operating Systems: All platforms running Kubernetes

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the senhasegura DSM provider with the getSecretKey template function, but the vulnerability exists in all installations within the affected version range.

📦 What is this software?

External Secrets Operator by External Secrets

View all CVEs affecting External Secrets Operator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all secrets managed by External Secrets Operator across all namespaces, leading to credential theft, data breaches, and lateral movement within the cluster.

🟠

Likely Case

Unauthorized access to secrets in other namespaces, potentially exposing sensitive credentials, API keys, or configuration data that should be namespace-isolated.

🟢

If Mitigated

Limited impact with proper network segmentation and namespace isolation, but still represents a privilege escalation vulnerability within the cluster.

🌐 Internet-Facing: LOW - This vulnerability requires access to the Kubernetes API server and ability to create ExternalSecret resources, which typically isn't internet-facing.

🏢 Internal Only: HIGH - This is an internal cluster vulnerability that allows privilege escalation and cross-namespace secret access for authenticated users with appropriate permissions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Kubernetes API access and permissions to create ExternalSecret resources. The vulnerability is well-documented in the advisory with clear attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.0

Vendor Advisory: https://github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2

Restart Required: Yes

Instructions:

1. Backup current External Secrets Operator configuration. 2. Update to version 1.2.0 or later using your deployment method (Helm, kubectl, operator). 3. Verify the controller pods restart successfully. 4. Test secret retrieval functionality.

🔧 Temporary Workarounds

Policy Engine Restriction

all

Use Kubernetes admission controllers like OPA Gatekeeper, Kyverno, or Kubewarden to block usage of getSecretKey template function in ExternalSecret resources.

🧯 If You Can't Patch

Implement strict RBAC controls to limit who can create or modify ExternalSecret resources
Deploy network policies to isolate External Secrets Operator components and limit their access to only necessary namespaces

🔍 How to Verify

Check if Vulnerable:

Check External Secrets Operator version: kubectl get deployment -n external-secrets external-secrets -o jsonpath='{.spec.template.spec.containers[0].image}'

Check Version:

kubectl get deployment -n external-secrets external-secrets -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o 'v[0-9.]*'

Verify Fix Applied:

Confirm version is 1.2.0 or later and check that getSecretKey function references are removed from ExternalSecret resources

📡 Detection & Monitoring

Log Indicators:

Audit logs showing ExternalSecret creation with getSecretKey function
Controller logs showing cross-namespace secret retrieval

Network Indicators:

Unusual API calls to external secret providers from unexpected namespaces

SIEM Query:

kubernetes.audit.objectRef.resource: externalsecrets AND kubernetes.audit.verb: create AND requestObject.spec.data[*].remoteRef.template: *getSecretKey*

📊 Metadata

CVE ID: CVE-2026-22822

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-863

EPSS Score: 0.01% exploit probability (2.4th percentile)

Published: January 21, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf8515a95ec06ec92b1feb Patch
https://github.com/external-secrets/external-secrets/issues/5690 Issue Tracking
https://github.com/external-secrets/external-secrets/pull/3895 Issue Tracking
https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0 Product,Release Notes
https://github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22822, you might also want to check these: