CVE-2025-55196: External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access
(updated )
A vulnerability was discovered in the External Secrets Operator where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector.
This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions.
References
- github.com/advisories/GHSA-fcxq-v2r3-cc8h
- github.com/external-secrets/external-secrets
- github.com/external-secrets/external-secrets/commit/39cdba5863533007b582dc63dd300839326b2f1d
- github.com/external-secrets/external-secrets/commit/de40e8f4fa9559c1d770bb674589b285da5ef2d1
- github.com/external-secrets/external-secrets/pull/5109
- github.com/external-secrets/external-secrets/pull/5133
- github.com/external-secrets/external-secrets/security/advisories/GHSA-fcxq-v2r3-cc8h
- nvd.nist.gov/vuln/detail/CVE-2025-55196
Code Behaviors & Features
Detect and mitigate CVE-2025-55196 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →