VDB
CVE-2026-22822
CVE-2026-22822
PUBLISHED
CVSS 9.300000190734863 CRITICAL
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
EPSS 0.01% · 0.5th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
EPSS Score
0.01%
0.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| external-secrets | external_secrets_operator | 0.20.2, 0.20.2 |
| external-secrets | external-secrets | >= 0.20.2, < 1.2.0, >= 0.20.2, < 1.2.0 |
| github.com | external-secrets/external-secrets | 0.20.2, 0.20.2 |
Timeline
- Sep 24, 2025 Fix PR Merged
- Jan 20, 2026 CVE Published
- Jan 22, 2026 CVE Updated
- Jan 22, 2026 EPSS Score
- Jan 22, 2026 PoC Published
- Jan 23, 2026 PoC Published
- Jan 23, 2026 PoC Published
- Jan 24, 2026 PoC Published
- Jan 24, 2026 PoC Published
- Jan 24, 2026 PoC Published
- Jan 25, 2026 EPSS Score
- Jan 27, 2026 EPSS Score
References
- https://github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2 url
- https://github.com/external-secrets/external-secrets/issues/5690 url
- https://github.com/external-secrets/external-secrets/pull/3895 url
- https://github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf8515a95ec06ec92b1feb url
- https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-22822 advisory
- https://github.com/external-secrets/external-secrets package