External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access
A vulnerability was discovered in the External Secrets Operator where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions.