CVE-2026-42875 PUBLISHED

External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore

Assigner: GitHub_M
Reserved: 30.04.2026 Published: 11.05.2026 Updated: 11.05.2026

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver. This vulnerability is fixed in 2.4.0.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	external-secrets
Product	external-secrets
Versions	Version < 2.4.0 is affected

References

https://github.com/external-secrets/external-secrets/security/advisories/GHSA-wv26-88m5-6h59

Problem Types

CWE-285: Improper Authorization CWE
CWE-668: Exposure of Resource to Wrong Sphere CWE