CVE-2026-42875
EPSS 0.04%External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore
Description
### Impact Namespaced SecretStore resources that used CAProvider with type `ConfigMap` could resolve CA material from another namespace when `caProvider.namespace` was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver. The accessible data is used as CA validation material, hence it is not directly exposed. Impact: - Direct data exfiltration risk: low - Existence disclosure: an attacker can infer whether a target ConfigMap/key exists in another namespace. - Trust-boundary violation: a tenant can make its SecretStore consume CA material owned by another namespace.
Affected packages (1)
- Go/github.com/external-secrets/external-secretsfrom 0, < 2.4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |