CVE-2026-22822External-secrets · External_secrets_operator
Vulnerability data via NVD (ingested)
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-22822product:"External-secrets External Secrets Operator"http.html:"External Secrets Operator"More intel sources (5)
vuln:CVE-2026-22822vulnerabilities.cve_id: CVE-2026-22822CVE-2026-22822CVE-2026-22822"CVE-2026-22822" exploit -site:nvd.nist.gov