CVE-2026-42876 — External Secrets Operator reads information from a
CVE-2026-42876 — External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automat
What This Means For You
- If your environment is affected by CWE-285, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-42876 updates and patches.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Free Tier: External Secrets Operator Secret Creation - CVE-2026-42876
title: Free Tier: External Secrets Operator Secret Creation - CVE-2026-42876
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
This rule detects the creation of Kubernetes Secrets by the External Secrets Operator (ESO) in versions prior to 2.4.1. An unauthenticated user with permissions to create ExternalSecret resources can exploit this to create a Secret that is automatically populated with a long-lived token for a specified service account, effectively allowing impersonation. This rule specifically looks for the ESO binary being executed with a common configuration flag that might be present during exploitation, combined with the creation of a Secret object implicitly handled by the operator.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42876/
tags:
- attack.privilege_escalation
- attack.t1078.001
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '/external-secrets'
CommandLine|contains:
- '--enable-leader-election=false'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42876 | vulnerability | CVE-2026-42876 |
| CWE-285 | weakness | CWE-285 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 23:25 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-43874: WWBN AVideo WebSocket Vulnerability Allows RCE
CVE-2026-43874 — WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval...
Pi-hole Privilege Escalation via Systemd Scripts (CVE-2026-41489)
CVE-2026-41489 — Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and...
CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability
CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....