CVE-2026-42876
External Secrets Operator: Priviledge escalation with secret overwriting
CVSS Score
4.9
EPSS Score
0.0%
EPSS Percentile
6th
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the specified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type. This vulnerability is fixed in 2.4.1.
| CWE | CWE-285 |
| Vendor | external-secrets |
| Product | external-secrets |
| Published | May 11, 2026 |
| Last Updated | May 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for external-secrets external-secrets
Be the first to know when new medium vulnerabilities affecting external-secrets external-secrets are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
external-secrets / external-secrets
< 2.4.1
References
github.com: https://github.com/external-secrets/external-secrets/security/advisories/GHSA-fq7h-9x26-6j22 github.com: https://github.com/external-secrets/external-secrets/commit/4ddd240af7fe88725d9857b9a0c198073502e288 github.com: https://github.com/external-secrets/external-secrets/releases/tag/v2.4.1