CVE-2024-36540

The CVE refers to CVE-2024-36540 affecting external-secrets v0.9.16, where insecure permissions in the service account token handling allow an attacker to access sensitive data and escalate privileges. The issue is described across multiple feeds as a root-cause of insecure permissions enabling t...

CVE-2024-45041

CVE-2024-45041 affects the External Secrets Operator. A deployment named default-external-secrets-cert-controller is bound to a ClusterRole that grants Harper access: it can perform get/list on secrets resources and patch/update on validatingwebhookconfigurations. This RBAC configuration can be a...

CVE-2026-22822

CVE-2026-22822 affects the External Secrets Operator. The root issue is the getSecretKey templating function, which in versions starting from 0.20.2 and prior to 1.2.0 allowed cross‑namespace retrieval of secrets via the controller’s roleBinding, bypassing safeguards. This could lead to unauthori...

CVE-2026-34984

Summary: External Secrets Operator (ESO) versions 2.2.0 and earlier are vulnerable due to the v2 template engine’s getHostByName exposure in runtime/template/v2/template.go. An attacker who can create or update templated ExternalSecret resources can trigger controller-side DNS lookups using secre...