External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver. This vulnerability is fixed in 2.4.0.

Basic Information

ID CVE-2026-42875

Source GitHub_M

Published May 11, 2026 at 18:56

Affected Product

Vendor external-secrets

Product external-secrets

Version < 2.4.0

Affected Versions external-secrets external-secrets < 2.4.0

CWE Classification

CWE-285 CWE-668

References

github.com /external-secrets/external-secrets/security/advisories/GHSA-wv26-88m5-6h59

{
    "lastseen": "",
    "description": "External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver. This vulnerability is fixed in 2.4.0.",
    "published": "2026-05-11T18:56:34.097Z",
    "modified": "2026-05-11T18:56:34.097Z",
    "type": "cve",
    "title": "External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore",
    "source": "GitHub_M",
    "references": "https://github.com/external-secrets/external-secrets/security/advisories/GHSA-wv26-88m5-6h59",
    "id": "CVE-2026-42875",
    "bulletinFamily": "",
    "cwe": [
        "CWE-285",
        "CWE-668"
    ],
    "cvelist": null,
    "sourceData": "external-secrets external-secrets < 2.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "external-secrets",
    "version": "< 2.4.0",
    "vendor": "external-secrets",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore_CVE-2026-42875