CVE-2026-42875
External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore
Description
### Impact Namespaced SecretStore resources that used CAProvider with type `ConfigMap` could resolve CA material from another namespace when `caProvider.namespace` was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA resolver. The accessible data is used as CA validation material, hence it is not directly exposed. Impact: - Direct data exfiltration risk: low - Existence disclosure: an attacker can infer whether a target ConfigMap/key exists in another namespace. - Trust-boundary violation: a tenant can make its SecretStore consume CA material owned by another namespace.
How to fix CVE-2026-42875
To remediate CVE-2026-42875, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.0 or later
Is CVE-2026-42875 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |