Kubernetes Secret Vulnerability in External Secrets Operator by External Secrets
CVE-2026-42876

4.9MEDIUM

Key Information:

Vendor

External-secrets

Status
External-secrets
Vendor
CVE Published:
11 May 2026

What is CVE-2026-42876?

The External Secrets Operator, which integrates third-party services with Kubernetes by creating Secrets, has a significant vulnerability that allows users with permission only to create ExternalSecret resources to generate Secrets that automatically populate with long-lived service account tokens. This manipulation enables unauthorized impersonation of service accounts within the namespace, bypassing the need for direct permissions on TokenRequest or Secrets of that type. This issue was addressed in version 2.4.1, highlighting the importance of keeping cloud-native tooling updated to avoid security risks.

Affected Version(s)

external-secrets < 2.4.1

References

https://github.com/external-secrets/external-secrets/secu...
x_refsource_CONFIRM
https://github.com/external-secrets/external-secrets/comm...
x_refsource_MISC
https://github.com/external-secrets/external-secrets/rele...
x_refsource_MISC

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.