← Voltar para CVEs
CVE-2026-42876
MEDIUM4.9
Descricao
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the specified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type. This vulnerability is fixed in 2.4.1.
Detalhes CVE
Pontuacao CVSS v3.14.9
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeHIGH
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado5/11/2026
Ultima modificacao5/13/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-285
Referencias
https://github.com/external-secrets/external-secrets/commit/4ddd240af7fe88725d9857b9a0c198073502e288(security-advisories@github.com)
https://github.com/external-secrets/external-secrets/releases/tag/v2.4.1(security-advisories@github.com)
https://github.com/external-secrets/external-secrets/security/advisories/GHSA-fq7h-9x26-6j22(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.