Go modules package
github.com/external-secrets/external-secrets
pkg:golang/github.com/external-secrets/external-secrets
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42875 | Med | — | < 2.4.0 | 2.4.0 | May 11, 2026 | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caPro | |
| CVE-2026-34984 | Med | 6.5 | < 1.3.3-0.20260331202714-6800989bdc12 | 1.3.3-0.20260331202714-6800989bdc12 | Apr 14, 2026 | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig | |
| CVE-2026-22822 | — | >= 0.20.2, < 1.2.0 | 1.2.0 | Jan 21, 2026 | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Managem | ||
| CVE-2025-55196 | Hig | — | >= 0.15.0, < 0.19.2 | 0.19.2 | Aug 13, 2025 | External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controlle | |
| CVE-2024-45041 | — | < 0.10.2 | 0.10.2 | Sep 9, 2024 | External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secr |
- affected < 2.4.0fixed 2.4.0
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caPro
- affected < 1.3.3-0.20260331202714-6800989bdc12fixed 1.3.3-0.20260331202714-6800989bdc12
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig
- CVE-2026-22822Jan 21, 2026affected >= 0.20.2, < 1.2.0fixed 1.2.0
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Managem
- affected >= 0.15.0, < 0.19.2fixed 0.19.2
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controlle
- CVE-2024-45041Sep 9, 2024affected < 0.10.2fixed 0.10.2
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secr