CVE-2026-22728
Description
Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation (/v1/rotate) flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim SealedSecret to the rotate endpoint with the annotation sealedsecrets.bitnami.com/cluster-wide=true injected into the template metadata, a remote attacker can obtain a rotated version of the secret that is cluster-wide. This bypasses original "strict" or "namespace-wide" constraints, allowing the attacker to retarget and unseal the secret in any namespace or under any name to recover the plaintext credentials.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/bitnami-labs/sealed-secretsGo | < 0.36.0 | 0.36.0 |
Patches
1d57ee4a8357d[Security] Preserve scope during Sealed Secret rotation (#1886)
2 files changed · +16 −3
pkg/controller/controller.go+3 −1 modified@@ -569,8 +569,10 @@ func (c *Controller) Rotate(content []byte) ([]byte, error) { switch s := object.(type) { case *ssv1alpha1.SealedSecret: // Verify metainformation is well set up in Template ObjectMeta and ObjectMeta to avoid unconsistences with the scope during the rotate. + // This is going to keep the original scope. if !reflect.DeepEqual(s.ObjectMeta, s.Spec.Template.ObjectMeta) { - return nil, fmt.Errorf("Sealed Secret invalid: metadata no longer matches the sealed secret") + s.ObjectMeta.DeepCopyInto(&s.Spec.Template.ObjectMeta) + slog.Warn("Sealed Secret metadata doesn't match. Please align your Sealed Secret metadata") } secret, err := c.attemptUnseal(s)
pkg/controller/controller_test.go+13 −2 modified@@ -9,6 +9,8 @@ import ( "testing" "time" + "encoding/json" + ssv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1alpha1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -382,8 +384,17 @@ func TestRotateKeepScope(t *testing.T) { t.Fatalf("unexpected encoding the sealed secret: %v", err) } - _, err = controller.Rotate(data) - if err == nil { + out, err := controller.Rotate(data) + if err != nil { t.Fatalf("expected failure is not hit") } + + s := &ssv1alpha1.SealedSecret{} + if err = json.Unmarshal(out, s); err != nil { + t.Fatalf("error unmarshalling the rotate sealed secret") + } + + if ssv1alpha1.SecretScope(s) != ssv1alpha1.SecretScope(ssecret) { + t.Fatalf("Scope from the original and the rotate sealed secret do not match") + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-465p-v42x-3fmjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22728ghsaADVISORY
- github.com/bitnami-labs/sealed-secrets/commit/d57ee4a8357d250e602b995399b525496ab688c1ghsaWEB
- github.com/bitnami-labs/sealed-secrets/releases/tag/v0.36.0ghsaWEB
- github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmjnvdWEB
News mentions
0No linked articles in our index yet.