CVE-2026-42875 External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace w...

External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore

Impact Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA...

GHSA-WV26-88M5-6H59 External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore

Impact Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA...

PT-2026-37287

Name of the Vulnerable Software and Affected Versions External Secrets Operator versions prior to 2.4.0 Description Namespaced SecretStore resources using CAProvider with type ConfigMap could resolve CA material from a different namespace when the caProvider.namespace variable was set. This...

SUSE CVE-2025-55196

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a...

CVE-2025-55196

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a...

CVE-2025-55196

External Secrets Operator (github.com/external-secrets/external-secrets) contains a vulnerability in versions 0.15.0–0.19.1 where PushSecret List() calls on Kubernetes Secret and SecretStore resources ignore namespace selectors. This allows an attacker who can create or update PushSecret resource...

CVE-2025-55196 External Secrets Operator Missing Namespace Restriction in PushSecret and SecretStore List() Calls Allows Unauthorized Secret Access

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller, which does not apply a namespace selector. An attacker can access sensitive information from arbitrary...

GHSA-FCXQ-V2R3-CC8H External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access

Summary A vulnerability was discovered in the External Secrets Operator where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read...