CVE-2026-22728
Description
Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation (/v1/rotate) flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim SealedSecret to the rotate endpoint with the annotation sealedsecrets.bitnami.com/cluster-wide=true injected into the template metadata, a remote attacker can obtain a rotated version of the secret that is cluster-wide. This bypasses original "strict" or "namespace-wide" constraints, allowing the attacker to retarget and unseal the secret in any namespace or under any name to recover the plaintext credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/bitnami-labs/sealed-secretsGo | < 0.36.0 | 0.36.0 |
Affected products
5- osv-coords5 versionspkg:apk/chainguard/kotspkg:apk/wolfi/kotspkg:bitnami/sealed-secretspkg:golang/github.com/bitnami-labs/sealed-secretspkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.129.4-r2+ 4 more
- (no CPE)range: < 1.129.4-r2
- (no CPE)range: < 1.129.4-r2
- (no CPE)range: < 0.36.0
- (no CPE)range: < 0.36.0
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-465p-v42x-3fmjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22728ghsaADVISORY
- github.com/bitnami-labs/sealed-secrets/commit/d57ee4a8357d250e602b995399b525496ab688c1ghsaWEB
- github.com/bitnami-labs/sealed-secrets/releases/tag/v0.36.0ghsaWEB
- github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmjnvdWEB
News mentions
0No linked articles in our index yet.