GHSA-465P-V42X-3FMJ

Vulnerability from github – Published: 2026-02-26 22:49 – Updated: 2026-02-26 22:49
VLAI?
Summary
Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations
Details

This report shows a scope-widening issue in the rotate (re-encrypt) flow: the output scope can be derived from untrusted spec.template.metadata.annotations on the input sealed secret.

If a victim sealed secret is strict- or namespace-scoped, an attacker who can submit it to the rotate endpoint can set sealedsecrets.bitnami.com/cluster-wide=true in the template metadata and receive a rotated sealed secret that is cluster-wide, enabling retargeting (metadata.name/metadata.namespace) and unsealing to recover the victim plaintext.

Relevant Links (Pinned)

  • Rotate handler uses NewSealedSecret(..., secret) after unsealing: https://github.com/bitnami-labs/sealed-secrets/blob/946bc048f3407117c837da6e4300686522d4c4eb/pkg/controller/controller.go#L560-L606
  • Scope derivation reads secret annotations (SecretScope): https://github.com/bitnami-labs/sealed-secrets/blob/946bc048f3407117c837da6e4300686522d4c4eb/pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go#L112-L122

Root Cause

The rotate flow unseals the input sealed secret to a Secret, then reseals using NewSealedSecret(..., secret).

Because SecretScope(secret) is computed from secret annotations, and unsealing applies spec.template metadata onto the unsealed secret, an attacker can influence the scope of the rotated output by mutating template annotations on the rotate input.

Attack Path

  1. Attacker obtains a victim SealedSecret object (for example via read access to resources or logs) and can submit it to the controller rotate endpoint.
  2. Attacker sets spec.template.metadata.annotations.sealedsecrets.bitnami.com/cluster-wide=true (and optionally retargets name/namespace fields).
  3. Rotate returns a resealed, cluster-wide sealed secret that is no longer bound to the victim name/namespace.
  4. Attacker unseals the rotated output in their chosen namespace/name to recover the victim plaintext.

Proof of Concept

Setup + run:

unzip poc.zip -d poc
cd poc
make test

Canonical output (excerpt):

[CALLSITE_HIT]: pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go:112 SecretScope
[PROOF_MARKER]: scope_widened=true rotated_scope=cluster-wide

Control output (excerpt):

[NC_MARKER]: scope_widened=false strict_scope_preserved=true

Fix Accepted When

Rotate preserves the original sealing scope and does not allow scope widening based on untrusted template metadata; strict or namespace-wide inputs cannot produce cluster-wide outputs.

poc.zip PR_DESCRIPTION.md attack_scenario.md

Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/bitnami-labs/sealed-secrets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.36.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-26T22:49:14Z",
    "nvd_published_at": "2026-02-26T02:16:20Z",
    "severity": "MODERATE"
  },
  "details": "This report shows a scope-widening issue in the rotate (re-encrypt) flow: the output scope can be derived from untrusted `spec.template.metadata.annotations` on the input sealed secret.\n\nIf a victim sealed secret is strict- or namespace-scoped, an attacker who can submit it to the rotate endpoint can set `sealedsecrets.bitnami.com/cluster-wide=true` in the template metadata and receive a rotated sealed secret that is cluster-wide, enabling retargeting (`metadata.name`/`metadata.namespace`) and unsealing to recover the victim plaintext.\n\n## Relevant Links (Pinned)\n\n- Rotate handler uses `NewSealedSecret(..., secret)` after unsealing: https://github.com/bitnami-labs/sealed-secrets/blob/946bc048f3407117c837da6e4300686522d4c4eb/pkg/controller/controller.go#L560-L606\n- Scope derivation reads secret annotations (`SecretScope`): https://github.com/bitnami-labs/sealed-secrets/blob/946bc048f3407117c837da6e4300686522d4c4eb/pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go#L112-L122\n\n## Root Cause\n\nThe rotate flow unseals the input sealed secret to a `Secret`, then reseals using `NewSealedSecret(..., secret)`.\n\nBecause `SecretScope(secret)` is computed from secret annotations, and unsealing applies `spec.template` metadata onto the unsealed secret, an attacker can influence the scope of the rotated output by mutating template annotations on the rotate input.\n\n## Attack Path\n\n1. Attacker obtains a victim `SealedSecret` object (for example via read access to resources or logs) and can submit it to the controller rotate endpoint.\n2. Attacker sets `spec.template.metadata.annotations.sealedsecrets.bitnami.com/cluster-wide=true` (and optionally retargets name/namespace fields).\n3. Rotate returns a resealed, cluster-wide sealed secret that is no longer bound to the victim name/namespace.\n4. Attacker unseals the rotated output in their chosen namespace/name to recover the victim plaintext.\n\n## Proof of Concept\n\nSetup + run:\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake test\n```\n\nCanonical output (excerpt):\n\n```\n[CALLSITE_HIT]: pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go:112 SecretScope\n[PROOF_MARKER]: scope_widened=true rotated_scope=cluster-wide\n```\n\nControl output (excerpt):\n\n```\n[NC_MARKER]: scope_widened=false strict_scope_preserved=true\n```\n\n## Fix Accepted When\n\nRotate preserves the original sealing scope and does not allow scope widening based on untrusted template metadata; strict or namespace-wide inputs cannot produce cluster-wide outputs.\n\n[poc.zip](https://github.com/user-attachments/files/25080027/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/25080028/PR_DESCRIPTION.md)\n[attack_scenario.md](https://github.com/user-attachments/files/25080029/attack_scenario.md)",
  "id": "GHSA-465p-v42x-3fmj",
  "modified": "2026-02-26T22:49:14Z",
  "published": "2026-02-26T22:49:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitnami-labs/sealed-secrets/commit/d57ee4a8357d250e602b995399b525496ab688c1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bitnami-labs/sealed-secrets"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitnami-labs/sealed-secrets/releases/tag/v0.36.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.