/
DirectorySecurity AdvisoriesPricing
Sign in
Security Advisories

CGA-w66c-53hc-624j

Published

Last updated

https://images.chainguard.dev/security/CGA-w66c-53hc-624j
Package

external-secrets-operator-0.18

RepositoryWolfi
Latest Update
Pending upstream fix
Aliases
  • CVE-2025-55196
  • GHSA-fcxq-v2r3-cc8h

Severity

Unknown

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-55196
  • https://github.com/advisories/GHSA-fcxq-v2r3-cc8h

Updates

Status

Pending upstream fix

Impact

The vulnerability in External Secrets Operator allows unauthorized secret access across namespaces through missing namespace restrictions in List() calls. The fix is available in version 0.19.2, however due to significant functional changes between 0.18.x and 0.19.x, upstream maintainers will need to backport the security fix to the 0.18.x release stream for this package to receive the fix. The vulnerability affects PushSecret and SecretStore controllers' List() operations which could allow attackers to exfiltrate sensitive data from arbitrary namespaces.

Status

Under investigation

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal