CVE-2026-42876

Source
https://cve.org/CVERecord?id=CVE-2026-42876
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42876.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42876
Aliases
Downstream
Related
Published
2026-05-11T18:58:44.069Z
Modified
2026-07-08T08:12:35.231324723Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
External Secrets Operator: Priviledge escalation with secret overwriting
Details

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the specified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type. This vulnerability is fixed in 2.4.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42876.json",
    "cwe_ids": [
        "CWE-285"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/external-secrets/external-secrets

Affected ranges

Type
GIT
Repo
https://github.com/external-secrets/external-secrets
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.4.1"
        }
    ]
}

Affected versions

helm-chart-0.*
helm-chart-0.1.1
helm-chart-0.1.2
helm-chart-0.1.3
helm-chart-0.1.4
helm-chart-0.10.0
helm-chart-0.10.1
helm-chart-0.10.2
helm-chart-0.10.6
helm-chart-0.14.1
helm-chart-0.14.2
helm-chart-0.15.1
helm-chart-0.16.0
helm-chart-0.17.0
helm-chart-0.18.0-rc1
helm-chart-0.19.2
helm-chart-0.2.0
helm-chart-0.2.1
helm-chart-0.2.2
helm-chart-0.2.3
helm-chart-0.20.1
helm-chart-0.20.2
helm-chart-0.20.3
helm-chart-0.20.4
helm-chart-0.3.0
helm-chart-0.3.1
helm-chart-0.3.10
helm-chart-0.3.11
helm-chart-0.3.2
helm-chart-0.3.3
helm-chart-0.3.4
helm-chart-0.3.5
helm-chart-0.3.6
helm-chart-0.3.7
helm-chart-0.3.8
helm-chart-0.3.9
helm-chart-0.4.0
helm-chart-0.4.1
helm-chart-0.4.2
helm-chart-0.4.3
helm-chart-0.4.4
helm-chart-0.5.0
helm-chart-0.5.1
helm-chart-0.5.2
helm-chart-0.5.3
helm-chart-0.5.4
helm-chart-0.5.5
helm-chart-0.5.6
helm-chart-0.5.7
helm-chart-0.5.8
helm-chart-0.5.9
helm-chart-0.6.0
helm-chart-0.6.0-rc1
helm-chart-0.6.1
helm-chart-0.7.0
helm-chart-0.7.0-rc1
helm-chart-0.7.1
helm-chart-0.7.2
helm-chart-0.8.0
helm-chart-0.8.1
helm-chart-0.8.2
helm-chart-0.8.3
helm-chart-0.9.0
helm-chart-0.9.1
helm-chart-0.9.10
helm-chart-0.9.11
helm-chart-0.9.12
helm-chart-0.9.13
helm-chart-0.9.14
helm-chart-0.9.15-2
helm-chart-0.9.16
helm-chart-0.9.17
helm-chart-0.9.18
helm-chart-0.9.19
helm-chart-0.9.2
helm-chart-0.9.20
helm-chart-0.9.3
helm-chart-0.9.4
helm-chart-0.9.5
helm-chart-0.9.6
helm-chart-0.9.7
helm-chart-0.9.8
helm-chart-0.9.9
helm-chart-1.*
helm-chart-1.0.0
helm-chart-1.1.0
helm-chart-1.1.1
helm-chart-1.2.0
helm-chart-1.2.1
helm-chart-1.3.1
helm-chart-1.3.2
helm-chart-2.*
helm-chart-2.0.0
helm-chart-2.0.1
helm-chart-2.1.0
helm-chart-2.2.0
helm-chart-2.3.0
helm-chart-2.4.0
v.*
v.0.3.6
v0.*
v0.1.0
v0.1.0-esoctl
v0.1.0-render
v0.1.2
v0.1.3
v0.1.4
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.10.7
v0.11.0
v0.12.0
v0.12.1
v0.13.0
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.14.4
v0.15.0
v0.15.1
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1-rc1
v0.18.0
v0.18.0-rc1
v0.18.1
v0.18.2
v0.19.0
v0.19.1
v0.19.2
v0.2.0
v0.2.0-esoctl
v0.2.1
v0.2.1-esoctl
v0.2.2
v0.2.3
v0.20.0
v0.20.1
v0.20.2
v0.20.3
v0.20.4
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.0-rc1
v0.6.1
v0.7.0
v0.7.0-rc1
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.9.0
v0.9.1
v0.9.10
v0.9.11
v0.9.12
v0.9.13
v0.9.14
v0.9.15
v0.9.15-2
v0.9.16
v0.9.17
v0.9.18
v0.9.19
v0.9.2
v0.9.20
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.3.0
v2.4.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42876.json"