JustAppSec
MEDIUM SeverityCVSS 4.05.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CVE-2026-42875

Last updated May 11, 2026 · Published May 11, 2026

← Back to list

Description

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver. This vulnerability is fixed in 2.4.0.

Affected products

1 listed
  • external-secrets:external-secrets

Mappings

CWE

CWE-285CWE-668

CAPEC

None listed.

Related

Research

Training

CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms

Need help?Get in touch.