Information Exposure Affecting external-secrets-operator-2.2 package, versions <2.2.0-r7


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Social Trends
EPSS
0.26% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-EXTERNALSECRETSOPERATOR22-16534895
  • published8 May 2026
  • disclosed14 Apr 2026

Introduced: 14 Apr 2026

CVE-2026-34984  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade Wolfi external-secrets-operator-2.2 to version 2.2.0-r7 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream external-secrets-operator-2.2 package and not the external-secrets-operator-2.2 package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig's TxtFuncMap() but leaves the getHostByName function accessible to user-controlled templates. Since ESO executes templates within the controller process, an attacker who can create or update templated ExternalSecret resources can invoke controller-side DNS lookups using secret-derived values. This creates a DNS exfiltration primitive, allowing fetched secret material to be leaked via DNS queries without requiring direct outbound network access from the attacker's workload. The impact is a confidentiality issue, particularly in environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller has DNS resolution capability. This issue has been fixed in version 2.3.0.

CVSS Base Scores

version 3.1