CVE-2026-42876 MEDIUM

CVE-2026-42876: External Secrets Operator: Priviledge escalation with secret overwriting

Vendor External-Secrets

Product external-secrets

Weakness CWE-285

Published May 11, 2026

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the specified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type. This vulnerability is fixed in 2.4.1.

Key dates

02Disclosure timeline

May 11, 2026 CVE published

May 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42876

Related vulnerabilities

CVE-2026-42876: External Secrets Operator: Priviledge escalation with secret overwriting

01Description

02Disclosure timeline

03References

04Related CVE