Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-55196
CVE-2025-55196:
vulnerability analysis and mitigation
Overview
A critical vulnerability (CVE-2024-55196) was discovered in the External Secrets Operator affecting versions 0.15.0 through 0.19.1. The vulnerability stems from missing namespace restrictions in PushSecret and SecretStore List() calls, which could allow unauthorized access to secrets across different namespaces in a Kubernetes cluster. The issue was discovered and disclosed in August 2025, affecting the core functionality of the External Secrets Operator's PushSecret controller (GitHub Advisory).
Technical details
The vulnerability exists due to the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller not applying proper namespace selectors. This implementation flaw allows attackers to use label selectors to list and read secrets and secret-stores across the cluster, effectively bypassing intended namespace restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (CISA-ADP).
Impact
An attacker with permissions to create or update PushSecret resources and control SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces. This could lead to unauthorized access to Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster, potentially compromising the entire cluster's security (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in version 0.19.2 by adding namespace restrictions to the List() calls for both PushSecret and SecretStore controllers. For organizations unable to immediately upgrade, recommended mitigations include restricting RBAC permissions so that only trusted service accounts can create or update PushSecret and SecretStore resources, auditing existing PushSecret and SecretStore resources, and reviewing Network Policies to prevent data exfiltration (GitHub Advisory).
Community reactions
The vulnerability was responsibly disclosed and addressed through collaborative efforts between security researchers @gracedo and @moolen. The fix was implemented through two pull requests (#5133 and #5109) which were thoroughly reviewed and merged into the main branch of the External Secrets Operator repository (GitHub PR).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management