A critical vulnerability, CVE-2026-22822, has been identified in the External Secrets Operator, with the flaw described as breaking namespace isolation in Kubernetes. The security issue, which carries a CVSS score of 9.3, enables Insecure Secret Retrieval by allowing a templating function named getSecretKey to fetch secrets cross-namespaces via the external-secrets controller’s roleBinding.
According to the security advisory, this function “has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms,” meaning a malicious or misconfigured resource in one namespace could access secrets in another. The vulnerability affects all versions from v0.20.2 up to v1.2.0, and the maintainers have removed the feature entirely; upgrading to v1.2.0 resolves the issue.
As a workaround for those unable to upgrade immediately, policy engines such as Kyverno, Kubewarden or OPA can be used to prevent the usage of getSecretKey in any ExternalSecret resource.