CVE-2026-22822 - External Secrets Operator insecurely retrieves secrets through the getSecretKey ...

CVE ID : CVE-2026-22822 Published : Jan. 21, 2026, 9:22 p.m. | 10 minutes ago Description : External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...