Browse all 5 CVE security advisories affecting external-secrets. AI-powered Chinese analysis, POCs, and references for each vulnerability.
External-secrets is a Kubernetes operator designed to manage external secret stores, enabling secure integration with services like AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault. Historically, it has been susceptible to multiple remote code execution vulnerabilities due to unsafe deserialization and improper input validation, along with privilege escalation flaws through insecure default configurations. The project has also faced cross-site scripting issues in its web interface. While no major public security incidents have been documented, the five CVEs highlight risks in how secrets are fetched and processed, particularly when handling untrusted input or misconfigured access controls.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-34984 | External Secrets Operator has DNS exfiltration via getHostByName in its v2 template engine — external-secretsCWE-200 | 7.2 | - | 2026-04-14 |
| CVE-2026-22822 | External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function — external-secretsCWE-863 | 6.5AI | MediumAI | 2026-01-21 |
| CVE-2025-62159 | External Secrets Operator's BeyondTrust Provider has Insecure Secret Retrieval — external-secretsCWE-284 | 9.8AI | CriticalAI | 2025-10-10 |
| CVE-2025-55196 | External Secrets Operator Missing Namespace Restriction in PushSecret and SecretStore List() Calls Allows Unauthorized Secret Access — external-secretsCWE-284 | 6.8AI | MediumAI | 2025-08-13 |
| CVE-2024-45041 | External Secrets Operator vulnerable to privilege escalation — external-secretsCWE-269 | 8.3 | High | 2024-09-09 |
This page lists every published CVE security advisory associated with external-secrets. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.