CVE-2026-22822: External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
(updated )
The getSecretKey template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms.
This function was completely removed, as everything done with that templating function can be done in a different way while respecting our safeguards (for example, using sourceRef like explained here: https://github.com/external-secrets/external-secrets/issues/5690#issuecomment-3630977865)
References
- github.com/advisories/GHSA-77v3-r3jw-j2v2
- github.com/external-secrets/external-secrets
- github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf8515a95ec06ec92b1feb
- github.com/external-secrets/external-secrets/issues/5690
- github.com/external-secrets/external-secrets/pull/3895
- github.com/external-secrets/external-secrets/releases/tag/v1.2.0
- github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2
- nvd.nist.gov/vuln/detail/CVE-2026-22822
Code Behaviors & Features
Detect and mitigate CVE-2026-22822 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →