FKIE_CVE-2026-22728

Vulnerability from fkie_nvd - Published: 2026-02-26 02:16 - Updated: 2026-04-15 00:35
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation (/v1/rotate) flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim SealedSecret to the rotate endpoint with the annotation sealedsecrets.bitnami.com/cluster-wide=true injected into the template metadata, a remote attacker can obtain a rotated version of the secret that is cluster-wide. This bypasses original "strict" or "namespace-wide" constraints, allowing the attacker to retarget and unseal the secret in any namespace or under any name to recover the plaintext credentials.
References
security@vmware.comhttps://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Bitnami Sealed Secrets\u00a0is vulnerable to a scope-widening attack during\nthe secret rotation (/v1/rotate) flow. The rotation handler derives the\nsealing scope for the newly encrypted output from untrusted\nspec.template.metadata.annotations present in the input SealedSecret.\nBy submitting a victim SealedSecret to the rotate endpoint with the\nannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\ntemplate metadata, a remote attacker can obtain a rotated version of the\nsecret that is cluster-wide. This bypasses original \"strict\" or\n\"namespace-wide\" constraints, allowing the attacker to retarget and unseal\nthe secret in any namespace or under any name to recover the plaintext\ncredentials."
    },
    {
      "lang": "es",
      "value": "Bitnami Sealed Secrets es vulnerable a un ataque de ampliaci\u00f3n de alcance durante el flujo de rotaci\u00f3n de secretos (/v1/rotate). El gestor de rotaci\u00f3n deriva el alcance de sellado para la salida reci\u00e9n cifrada de anotaciones no confiables spec.template.metadata.annotations presentes en el SealedSecret de entrada. Al enviar un SealedSecret v\u00edctima al endpoint de rotaci\u00f3n con la anotaci\u00f3n sealedsecrets.bitnami.com/cluster-wide=true inyectada en los metadatos de la plantilla, un atacante remoto puede obtener una versi\u00f3n rotada del secreto que es a nivel de cl\u00faster. Esto elude las restricciones originales \u0027strict\u0027 o \u0027namespace-wide\u0027, permitiendo al atacante reorientar y desellar el secreto en cualquier espacio de nombres o bajo cualquier nombre para recuperar las credenciales en texto plano."
    }
  ],
  "id": "CVE-2026-22728",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "security@vmware.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-26T02:16:20.187",
  "references": [
    {
      "source": "security@vmware.com",
      "url": "https://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj"
    }
  ],
  "sourceIdentifier": "security@vmware.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security@vmware.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.