Volerion logoVolerion
Volerion logoVolerion

External Secrets Operator Namespace Isolation Bypass Vulnerability in CAProvider ConfigMap Resolution for SecretStore

Vulnerability

A vulnerability exists in External Secrets Operator versions prior to 2.4.0, allowing Namespaced SecretStore resources that utilized CAProvider with type ConfigMap to improperly resolve CA material from another namespace. This issue arose when caProvider.namespace was configured to point to a different namespace, bypassing the intended namespace boundaries. As a result, a tenant could make its SecretStore access CA material from another namespace, violating trust boundaries and potentially allowing inference about the existence of specific ConfigMaps or keys in the targeted namespace.

Impact

This vulnerability presents a low risk of direct data exfiltration but allows for existence disclosure, where an attacker can determine if a specific ConfigMap or key exists in another namespace. Additionally, it violates trust boundaries by enabling a tenant to access CA material from another namespace, which could be misused for CA validation purposes.

Remediation

Users can upgrade to External Secrets Operator version 2.4.0 or later to address this vulnerability.

Added: May 11, 2026, 8:37 PM
Updated: May 11, 2026, 8:37 PM

Vulnerability Rating

Custom Algorithm
spread
1.4
impact
2.5
exploitability
4.9
remediation
7.7
relevance
8.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.