CLEANSTART-2026-AY89602 Security fixes for CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501 applied in versions: 0.36.1-r0, 0.36.6-r0

Multiple security vulnerabilities affect the sealed-secrets package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-MK07381 Security fixes for CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501 applied in versions: 0.35.0-r0, 0.35.0-r1, 0.35.0-r2

Multiple security vulnerabilities affect the sealed-secrets package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-FH63386 When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint

Multiple security vulnerabilities affect the sealed-secrets package. When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. See references for individual vulnerability...

CLEANSTART-2026-LK73694 During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions

Multiple security vulnerabilities affect the sealed-secrets package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details...

CLEANSTART-2026-DM62512 Security fixes for CVE-2026-25679, CVE-2026-27139, CVE-2026-27142 applied in versions: 0.35.0-r0

Multiple security vulnerabilities affect the sealed-secrets package. These issues are resolved in later releases. See references for individual vulnerability details...

SUSE CVE-2026-22728

Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...

GO-2026-4565 Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations in github.com/bitnami-labs/sealed-secrets

Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations in github.com/bitnami-labs/sealed-secrets...

CVE-2026-22728

Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...

EUVD-2026-8795

Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations...

Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations

This report shows a scope-widening issue in the rotate re-encrypt flow: the output scope can be derived from untrusted spec.template.metadata.annotations on the input sealed secret. If a victim sealed secret is strict- or namespace-scoped, an attacker who can submit it to the rotate endpoint can...

CVE-2026-22728

Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...

CVE-2026-22728

Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...

CVE-2026-22728 sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations

Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...

CVE-2026-22728

CVE-2026-22728 concerns Bitnami Sealed Secrets during the secret rotation flow (/v1/rotate). The rotation process derives the new sealing scope from input SealedSecret metadata, and untrusted annotations in the template can widen the scope to cluster-wide (sealedsecrets.bitnami.com/cluster-wide=t...

CVE-2026-22728

Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...

PT-2026-22072

Name of the Vulnerable Software and Affected Versions Bitnami Sealed Secrets affected versions not specified Description Bitnami Sealed Secrets is susceptible to a scope-widening attack during the secret rotation process via the /v1/rotate API endpoint. The rotation handler uses untrusted data fr...

Sealed Secrets 安全漏洞

Sealed Secrets is a configuration encryption tool open source by Bitnami Labs. There are security vulnerabilities in Sealed Secrets, and these vulnerabilities stem from a range expansion attack within the key rotation process. This attack could potentially bypass original constraints and restore...

CVE-2025-61729 vulnerabilities

Vulnerabilities for packages: kubecolor, supercronic, kaf, prometheus-alertmanager, k8sgpt-operator, ctop, nri-haproxy, s5cmd, kubernetes-replicator, k6, db-operator, rancher-telemetry, ko, gostatsd, cloud-provider-vsphere, kapp, hcloud, rancher-system-agent, nfpm, nri-postgresql, jaeger-operator...