Cyber Posture

CVE-2026-22822

High

Published: 21 January 2026

Published
21 January 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0001 0.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22822 is a high-severity Incorrect Authorization (CWE-863) vulnerability in External-Secrets External Secrets Operator. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely patching of the External Secrets Operator to version 1.2.0 or later, where the exploitable `getSecretKey` function is fully removed.

AC-6 Least Privilege good match
prevent

Enforces least privilege on the external-secrets controller's roleBindings to restrict cross-namespace secret access, preventing exploitation even if the vulnerable function is invoked.

CM-6 Configuration Settings good match
prevent

Establishes and enforces secure configuration settings using policy engines like Kyverno or OPA to block `getSecretKey` usage in ExternalSecret resources as a workaround.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vulnerability directly enables unauthorized cross-namespace secret retrieval via controller permissions (bypassing authorization), facilitating privilege escalation (T1068) and access to unsecured credentials/secrets (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has…

more

the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.

Deeper analysisAI

CVE-2026-22822 is a vulnerability in the External Secrets Operator, a Kubernetes component that reads information from third-party services and injects it as Kubernetes Secrets. Affecting versions starting from 0.20.2 up to but not including 1.2.0, the issue stems from the `getSecretKey` template function, originally introduced for the senhasegura DevOps Secrets Management (DSM) provider. This function enables fetching secrets across namespaces using the roleBinding permissions of the external-secrets controller, thereby bypassing the operator's intended security mechanisms. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-863 (Incorrect Authorization).

An attacker with low privileges (PR:L) and local access (AV:L) to the Kubernetes cluster can exploit this vulnerability by crafting an ExternalSecret resource that invokes the `getSecretKey` function. This allows unauthorized access to secrets in namespaces beyond the attacker's scope, leveraging the controller's elevated roleBinding permissions. Successful exploitation results in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), as the attacker can read, potentially modify, or disrupt sensitive secret data across the cluster.

Mitigation involves upgrading to External Secrets Operator version 1.2.0 or later, where the `getSecretKey` function has been completely removed, with equivalent functionality achievable through safer templating methods that respect the operator's safeguards. As a workaround prior to upgrading, deploy a policy engine such as Kubernetes Network Policies, Kyverno, Kubewarden, or OPA/Gatekeeper to block the use of `getSecretKey` in any ExternalSecret resources. Official advisories and patches are detailed in the project's GitHub security advisory (GHSA-77v3-r3jw-j2v2), release notes for v1.2.0, and related pull request #3895.

Details

CWE(s)
CWE-863

Affected Products

external-secrets
external secrets operator
0.20.2 — 1.2.0

CVEs Like This One

CVE-2026-27112Shared CWE-863
CVE-2026-22806Shared CWE-863
CVE-2025-0359Shared CWE-863
CVE-2026-41344Shared CWE-863
CVE-2025-4960Shared CWE-863
CVE-2024-45328Shared CWE-863
CVE-2026-4857Shared CWE-863
CVE-2025-27822Shared CWE-863
CVE-2025-26511Shared CWE-863
CVE-2026-32972Shared CWE-863

References