Kubernetes Secrets Vulnerability in External Secrets Operator by External Secrets
CVE-2026-42875

5.3MEDIUM

Key Information:

Vendor: External-secrets
Status: External-secrets
Vendor: CVE Published:; 11 May 2026

🔔 Create External-secrets Vulnerability Alert

What is CVE-2026-42875?

The External Secrets Operator, utilized for managing secrets in Kubernetes, is vulnerable due to improper handling of Namespaced SecretStore resources prior to version 2.4.0. When configured with CAProvider using the type ConfigMap, it allowed the resolution of Certificate Authority (CA) materials from other namespaces if the caProvider.namespace was set. This flaw compromised the namespace isolation principle, potentially leading to unauthorized access to sensitive information across namespaces. The issue has been addressed in version 2.4.0, ensuring adherence to the namespace boundary.

Affected Version(s)

external-secrets < 2.4.0

References

https://github.com/external-secrets/external-secrets/secu...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42875 Data

JSON