Summary
A vulnerability was discovered in the External Secrets Operator where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector.
This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions.
Exploitability
To exploit this vulnerability, an attacker must:
- Have permissions to create or update
PushSecretresources. - Control one or more
SecretStoreresources.
With these conditions met, the attacker could leverage label selectors to list secrets from any namespace and retrieve their contents.
Affected Versions
- Vulnerable: v0.15.0 – v0.19.1
- Not Vulnerable: v0.19.2 and later
Mitigation
If upgrading to v0.19.2 or later is not immediately possible, the following mitigations are recommended:
- Restrict RBAC permissions so that only trusted service accounts can create or update
PushSecretandSecretStoreresources. - Audit existing
PushSecretandSecretStoreresources to ensure they are controlled by trusted parties. - Review Network Policies to prevent data exfiltration
Credit
This vulnerability was reported by @gracedo and @moolen
Impact
An attacker with the ability to create or update PushSecret resources and control SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces.
This could lead to full disclosure of Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The vulnerability was addressed in v0.19.2 by adding namespace restrictions to the List() calls for both PushSecret and SecretStore controllers.
This ensures that only secrets in the intended namespace are accessible.
Relevant fixes:
Frequently Asked Questions
- What is CVE-2025-55196? CVE-2025-55196 is a high-severity security vulnerability in github.com/external-secrets/external-secrets (go), affecting versions >= 0.15.0, < 0.19.2. It is fixed in 0.19.2.
- Which versions of github.com/external-secrets/external-secrets are affected by CVE-2025-55196? github.com/external-secrets/external-secrets (go) versions >= 0.15.0, < 0.19.2 is affected.
- Is there a fix for CVE-2025-55196? Yes. CVE-2025-55196 is fixed in 0.19.2. Upgrade to this version or later.
- Is CVE-2025-55196 exploitable, and should I be worried? Whether CVE-2025-55196 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-55196 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-55196? Upgrade
github.com/external-secrets/external-secretsto 0.19.2 or later.