External Secrets Operator vulnerable to privilege escalation
Description
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/external-secrets/external-secretsGo | < 0.10.2 | 0.10.2 |
Affected products
1- Range: < 0.10.2
Patches
20368b9806f66fix: add watch to validatingwebhookconfigs (#3845)
1 file changed · +2 −2
deploy/charts/external-secrets/templates/cert-controller-rbac.yaml+2 −2 modified@@ -22,6 +22,8 @@ rules: - "validatingwebhookconfigurations" verbs: - "list" + - "watch" + - "get" - apiGroups: - "admissionregistration.k8s.io" resources: @@ -30,8 +32,6 @@ rules: - "secretstore-validate" - "externalsecret-validate" verbs: - - "get" - - "watch" - "update" - "patch" - apiGroups:
428a452fd2adadd the resourceNames(git commit -s) (#3822)
2 files changed · +10 −2
deploy/charts/external-secrets/templates/cert-controller-rbac.yaml+9 −1 modified@@ -21,8 +21,16 @@ rules: resources: - "validatingwebhookconfigurations" verbs: - - "get" - "list" + - apiGroups: + - "admissionregistration.k8s.io" + resources: + - "validatingwebhookconfigurations" + resourceNames: + - "secretstore-validate" + - "externalsecret-validate" + verbs: + - "get" - "watch" - "update" - "patch"
deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap+1 −1 modified@@ -4,7 +4,7 @@ should match snapshot of default values: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: secretstores.external-secrets.io
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-qwgc-rr35-h4x9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45041ghsaADVISORY
- github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yamlghsaWEB
- github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yamlghsaWEB
- github.com/external-secrets/external-secrets/commit/0368b9806f660fa6bc52cbbf3c6ccdb27c58bb35ghsaWEB
- github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67cghsax_refsource_MISCWEB
- github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2024-3126ghsaWEB
News mentions
0No linked articles in our index yet.