Kubernetes Operator Vulnerability in External Secrets Management by External Secrets
CVE-2025-55196
What is CVE-2025-55196?
The External Secrets Operator, a tool for integrating external secret management systems within Kubernetes, has a significant vulnerability affecting versions from 0.15.0 up to just before 0.19.2. The PushSecret controller's List() calls for both Kubernetes Secrets and SecretStore resources lacked a Namespace selector. This omission permitted attackers to leverage label selectors to list and access secrets across different namespaces, effectively circumventing the intended namespace boundaries. If an attacker holds the ability to create or modify PushSecret resources or manipulate SecretStore configurations, they can exploit this flaw to exfiltrate critical sensitive data, such as credentials and tokens, potentially leading to widespread disclosure within the Kubernetes cluster. The vulnerability has been addressed in version 0.19.2, with recommended measures including stringent auditing and limiting RBAC permissions to ensure that only trusted service accounts possess the authority to create or update these resources.
Affected Version(s)
external-secrets >= 0.15.0, < 0.19.2