DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22822: Confused Deputy in the Cloud: CVE-2026-22822 & The ESO Secret Heist

#security #cve #cybersecurity

Confused Deputy in the Cloud: CVE-2026-22822 & The ESO Secret Heist

Vulnerability ID: CVE-2026-22822
CVSS Score: 8.8
Published: 2026-01-20

A critical 'Confused Deputy' vulnerability in the External Secrets Operator (ESO) allows low-privileged users to hijack the controller's identity. By abusing the v2 templating engine's getSecretKey function, an attacker can trick the operator into fetching and revealing any secret from any namespace in the cluster, completely bypassing Kubernetes RBAC boundaries.

TL;DR

The External Secrets Operator (ESO) v2 templating engine contained a helper function, getSecretKey, that ran with the controller's cluster-wide privileges. It failed to check if the requesting user actually had permission to read the target secret. This allowed any user who could create an ExternalSecret resource to exfiltrate credentials from restricted namespaces (like kube-system). The fix was the nuclear option: the function was deleted entirely in v1.2.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-441 (Confused Deputy)
  • Attack Vector: Network
  • CVSS: 8.8 (High)
  • Privileges Required: Low (Create ExternalSecret)
  • Impact: Confidentiality (High), Integrity (Medium)
  • Status: Patched (Feature Removed)

Affected Systems

  • External Secrets Operator < v1.2.0
  • External Secrets Operator: < 1.2.0 (Fixed in: 1.2.0)

Code Analysis

Commit: 17d3e22

Removal of getSecretKey function from v2 template engine

- func (t *Template) getSecretKey(name, namespace, key string) (string, error) {
-   config, err := ctrl.GetConfig()
-   if err != nil {
-       return "", err
-   }
-   clientset, err := kubernetes.NewForConfig(config)
...
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade to patched version (removal of vulnerable function)
  • Audit existing ExternalSecret resources for suspicious templates

Remediation Steps:

  1. Pull the latest helm chart for external-secrets.
  2. Upgrade the deployment to version >= v1.2.0.
  3. Verify that the getSecretKey function is no longer available by testing a dummy template (it should error out).
  4. Review audit logs for any historical access to sensitive secrets by the ESO service account that originated from unexpected namespaces.

References

Read the full report for CVE-2026-22822 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)