CVE-2026-42876
ExternalSecrets vulnerable to privilege escalation with secret overwriting
描述
ExternalSecrets allows users to craft Service Account tokens for misconfigured Service Accounts in namespaces the users have access to. ### Impact A user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the sepcified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type. The problem is mitigated in severity by the fact that the user must have pre-existing permissions already at almost the same level as the escalation later gives. The attacker cannot use this method to gain access to more information without other things also being misconfigured in the ESO installation. ### Patches Disallow this combination including the bootstrap token secret type. ### Workarounds * Add admission control logic to prevent the use of Templates targeting undesired Types * Remove Service Account Token generation via kube-controller-manager flags * Restrict User RBAC on production clusters and sensitive namespaces
如何修補 CVE-2026-42876
要修補 CVE-2026-42876,請將受影響套件升級到下列已修補版本。
- —升級至 2.4.1 或更新版本
CVE-2026-42876 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 0.1.0, < 2.4.1