CVE-2026-22728 (GCVE-0-2026-22728)

Vulnerability from cvelistv5 – Published: 2026-02-26 00:50 – Updated: 2026-02-26 15:58
VLAI
Title
sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations
Summary
Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation (/v1/rotate) flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim SealedSecret to the rotate endpoint with the annotation sealedsecrets.bitnami.com/cluster-wide=true injected into the template metadata, a remote attacker can obtain a rotated version of the secret that is cluster-wide. This bypasses original "strict" or "namespace-wide" constraints, allowing the attacker to retarget and unseal the secret in any namespace or under any name to recover the plaintext credentials.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Bitnami sealed-secrets Affected: 0.35.0 , < <0.36.0 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22728",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T15:58:00.603738Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:58:32.372Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "sealed-secrets",
          "vendor": "Bitnami",
          "versions": [
            {
              "lessThan": "\u003c0.36.0",
              "status": "affected",
              "version": "0.35.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003eBitnami \u003c/span\u003e\u003cb\u003eSealed Secrets\u003c/b\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003e\u0026nbsp;is vulnerable to a scope-widening attack during\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003ethe secret rotation (/v1/rotate) flow. The rotation handler derives the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003esealing scope for the newly encrypted output from untrusted\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003espec.template.metadata.annotations present in the input SealedSecret.\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003eBy submitting a victim SealedSecret to the rotate endpoint with the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003eannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003etemplate metadata, a remote attacker can obtain a rotated version of the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003esecret that is cluster-wide. This bypasses original \"strict\" or\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003e\"namespace-wide\" constraints, allowing the attacker to retarget and unseal\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003ethe secret in any namespace or under any name to recover the plaintext\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003ecredentials.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Bitnami Sealed Secrets\u00a0is vulnerable to a scope-widening attack during\nthe secret rotation (/v1/rotate) flow. The rotation handler derives the\nsealing scope for the newly encrypted output from untrusted\nspec.template.metadata.annotations present in the input SealedSecret.\nBy submitting a victim SealedSecret to the rotate endpoint with the\nannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\ntemplate metadata, a remote attacker can obtain a rotated version of the\nsecret that is cluster-wide. This bypasses original \"strict\" or\n\"namespace-wide\" constraints, allowing the attacker to retarget and unseal\nthe secret in any namespace or under any name to recover the plaintext\ncredentials."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T00:50:00.863Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-22728",
    "datePublished": "2026-02-26T00:50:00.863Z",
    "dateReserved": "2026-01-09T06:54:41.497Z",
    "dateUpdated": "2026-02-26T15:58:32.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-22728",
      "date": "2026-07-01",
      "epss": "0.00352",
      "percentile": "0.27147"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22728\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2026-02-26T02:16:20.187\",\"lastModified\":\"2026-06-17T10:20:18.457\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Bitnami Sealed Secrets\u00a0is vulnerable to a scope-widening attack during\\nthe secret rotation (/v1/rotate) flow. The rotation handler derives the\\nsealing scope for the newly encrypted output from untrusted\\nspec.template.metadata.annotations present in the input SealedSecret.\\nBy submitting a victim SealedSecret to the rotate endpoint with the\\nannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\\ntemplate metadata, a remote attacker can obtain a rotated version of the\\nsecret that is cluster-wide. This bypasses original \\\"strict\\\" or\\n\\\"namespace-wide\\\" constraints, allowing the attacker to retarget and unseal\\nthe secret in any namespace or under any name to recover the plaintext\\ncredentials.\"},{\"lang\":\"es\",\"value\":\"Bitnami Sealed Secrets es vulnerable a un ataque de ampliaci\u00f3n de alcance durante el flujo de rotaci\u00f3n de secretos (/v1/rotate). El gestor de rotaci\u00f3n deriva el alcance de sellado para la salida reci\u00e9n cifrada de anotaciones no confiables spec.template.metadata.annotations presentes en el SealedSecret de entrada. Al enviar un SealedSecret v\u00edctima al endpoint de rotaci\u00f3n con la anotaci\u00f3n sealedsecrets.bitnami.com/cluster-wide=true inyectada en los metadatos de la plantilla, un atacante remoto puede obtener una versi\u00f3n rotada del secreto que es a nivel de cl\u00faster. Esto elude las restricciones originales \u0027strict\u0027 o \u0027namespace-wide\u0027, permitiendo al atacante reorientar y desellar el secreto en cualquier espacio de nombres o bajo cualquier nombre para recuperar las credenciales en texto plano.\"}],\"affected\":[{\"source\":\"security@vmware.com\",\"affectedData\":[{\"vendor\":\"Bitnami\",\"product\":\"sealed-secrets\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0.35.0\",\"lessThan\":\"\u003c0.36.0\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-26T15:58:00.603738Z\",\"id\":\"CVE-2026-22728\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj\",\"source\":\"security@vmware.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22728\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-26T15:58:00.603738Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-26T15:58:19.231Z\"}}], \"cna\": {\"title\": \"sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Bitnami\", \"product\": \"sealed-secrets\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.35.0\", \"lessThan\": \"\u003c0.36.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Bitnami Sealed Secrets\\u00a0is vulnerable to a scope-widening attack during\\nthe secret rotation (/v1/rotate) flow. The rotation handler derives the\\nsealing scope for the newly encrypted output from untrusted\\nspec.template.metadata.annotations present in the input SealedSecret.\\nBy submitting a victim SealedSecret to the rotate endpoint with the\\nannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\\ntemplate metadata, a remote attacker can obtain a rotated version of the\\nsecret that is cluster-wide. This bypasses original \\\"strict\\\" or\\n\\\"namespace-wide\\\" constraints, allowing the attacker to retarget and unseal\\nthe secret in any namespace or under any name to recover the plaintext\\ncredentials.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003eBitnami \u003c/span\u003e\u003cb\u003eSealed Secrets\u003c/b\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003e\u0026nbsp;is vulnerable to a scope-widening attack during\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003ethe secret rotation (/v1/rotate) flow. The rotation handler derives the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003esealing scope for the newly encrypted output from untrusted\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003espec.template.metadata.annotations present in the input SealedSecret.\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003eBy submitting a victim SealedSecret to the rotate endpoint with the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003eannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003etemplate metadata, a remote attacker can obtain a rotated version of the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003esecret that is cluster-wide. This bypasses original \\\"strict\\\" or\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003e\\\"namespace-wide\\\" constraints, allowing the attacker to retarget and unseal\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003ethe secret in any namespace or under any name to recover the plaintext\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(241, 242, 244);\\\"\u003ecredentials.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2026-02-26T00:50:00.863Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22728\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T15:58:32.372Z\", \"dateReserved\": \"2026-01-09T06:54:41.497Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2026-02-26T00:50:00.863Z\", \"assignerShortName\": \"vmware\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…