Medium severity5.3GHSA Advisory· Published May 11, 2026· Updated May 13, 2026

CVE-2026-42875

Description

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver. This vulnerability is fixed in 2.4.0.

Affected products

External Secrets/External SecretsGHSA
Range: < 2.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-wv26-88m5-6h59ghsaADVISORY
github.com/external-secrets/external-secrets/security/advisories/GHSA-wv26-88m5-6h59nvd
nvd.nist.gov/vuln/detail/CVE-2026-42875ghsa

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000