What is CVE-2026-22822?

### Summary The `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed, as everything done with that templating function can be done in a different way while respecting our safeguards (for example, using `sourceRef` like explained here: https://github.com/external-secrets/external-secrets/issues/5690#issuecomment-3630977865) ### Impact - Cross-namespace secret access: Attackers or misconfigured resources could retrieve secrets from namespaces other than the one intended. - privilege escalation: Unauthorized access to secrets could lead to privilege escalation, data exfiltration, or compromise of service accounts and credentials. ### Resolution We removed the incriminated templating function from our codebase. All users should upgrade to the latest version containing this fix. ### Workarounds Use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource. ### Details See also: - https://github.com/external-secrets/external-secrets/issues/5690 - https://github.com/external-secrets/external-secrets/pull/3895

What is the severity of CVE-2026-22822?

CVE-2026-22822 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-22822?

No known public exploits are currently available for CVE-2026-22822.

Is there a patch available for CVE-2026-22822?

Yes, patches are available for CVE-2026-22822. Check the vendor advisories for update instructions.

CVE-2026-22822 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

The getSecretKey template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms.

This function was completely removed, as everything done with that templating function can be done in a different way while respecting our safeguards (for example, using sourceRef like explained here: https://github.com/external-secrets/external-secrets/issues/5690#issuecomment-3630977865)

Impact

Cross-namespace secret access: Attackers or misconfigured resources could retrieve secrets from namespaces other than the one intended.
privilege escalation: Unauthorized access to secrets could lead to privilege escalation, data exfiltration, or compromise of service accounts and credentials.

Resolution

We removed the incriminated templating function from our codebase. All users should upgrade to the latest version containing this fix.

Workarounds

Use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of getSecretKey in any ExternalSecret resource.