CVE-2026-42875 MEDIUM

CVE-2026-42875: External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore

Vendor External-Secrets

Product external-secrets

Weakness CWE-285

Published May 11, 2026

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver. This vulnerability is fixed in 2.4.0.

Key dates

02Disclosure timeline

May 11, 2026 CVE published

May 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42875 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

CVE-2026-42875: External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore

01Description

02Disclosure timeline

03References

04Related CVE