{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22728", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:41.497Z", "datePublished": "2026-02-26T00:50:00.863Z", "dateUpdated": "2026-02-26T15:58:32.372Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "sealed-secrets", "vendor": "Bitnami", "versions": [{"lessThan": "<0.36.0", "status": "affected", "version": "0.35.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(241, 242, 244);\">Bitnami </span><b>Sealed Secrets</b><span style=\"background-color: rgb(241, 242, 244);\">&nbsp;is vulnerable to a scope-widening attack during</span><br><span style=\"background-color: rgb(241, 242, 244);\">the secret rotation (/v1/rotate) flow. The rotation handler derives the</span><br><span style=\"background-color: rgb(241, 242, 244);\">sealing scope for the newly encrypted output from untrusted</span><br><span style=\"background-color: rgb(241, 242, 244);\">spec.template.metadata.annotations present in the input SealedSecret.</span><br><span style=\"background-color: rgb(241, 242, 244);\">By submitting a victim SealedSecret to the rotate endpoint with the</span><br><span style=\"background-color: rgb(241, 242, 244);\">annotation sealedsecrets.bitnami.com/cluster-wide=true injected into the</span><br><span style=\"background-color: rgb(241, 242, 244);\">template metadata, a remote attacker can obtain a rotated version of the</span><br><span style=\"background-color: rgb(241, 242, 244);\">secret that is cluster-wide. This bypasses original \"strict\" or</span><br><span style=\"background-color: rgb(241, 242, 244);\">\"namespace-wide\" constraints, allowing the attacker to retarget and unseal</span><br><span style=\"background-color: rgb(241, 242, 244);\">the secret in any namespace or under any name to recover the plaintext</span><br><span style=\"background-color: rgb(241, 242, 244);\">credentials.</span><br>"}], "value": "Bitnami Sealed Secrets\u00a0is vulnerable to a scope-widening attack during\nthe secret rotation (/v1/rotate) flow. The rotation handler derives the\nsealing scope for the newly encrypted output from untrusted\nspec.template.metadata.annotations present in the input SealedSecret.\nBy submitting a victim SealedSecret to the rotate endpoint with the\nannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\ntemplate metadata, a remote attacker can obtain a rotated version of the\nsecret that is cluster-wide. This bypasses original \"strict\" or\n\"namespace-wide\" constraints, allowing the attacker to retarget and unseal\nthe secret in any namespace or under any name to recover the plaintext\ncredentials."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-02-26T00:50:00.863Z"}, "references": [{"url": "https://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj"}], "source": {"discovery": "EXTERNAL"}, "title": "sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:58:00.603738Z", "id": "CVE-2026-22728", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:58:32.372Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22728", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T15:58:00.603738Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:58:19.231Z"}}], "cna": {"title": "sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Bitnami", "product": "sealed-secrets", "versions": [{"status": "affected", "version": "0.35.0", "lessThan": "<0.36.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Bitnami Sealed Secrets\u00a0is vulnerable to a scope-widening attack during\nthe secret rotation (/v1/rotate) flow. The rotation handler derives the\nsealing scope for the newly encrypted output from untrusted\nspec.template.metadata.annotations present in the input SealedSecret.\nBy submitting a victim SealedSecret to the rotate endpoint with the\nannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\ntemplate metadata, a remote attacker can obtain a rotated version of the\nsecret that is cluster-wide. This bypasses original \"strict\" or\n\"namespace-wide\" constraints, allowing the attacker to retarget and unseal\nthe secret in any namespace or under any name to recover the plaintext\ncredentials.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(241, 242, 244);\">Bitnami </span><b>Sealed Secrets</b><span style=\"background-color: rgb(241, 242, 244);\">&nbsp;is vulnerable to a scope-widening attack during</span><br><span style=\"background-color: rgb(241, 242, 244);\">the secret rotation (/v1/rotate) flow. The rotation handler derives the</span><br><span style=\"background-color: rgb(241, 242, 244);\">sealing scope for the newly encrypted output from untrusted</span><br><span style=\"background-color: rgb(241, 242, 244);\">spec.template.metadata.annotations present in the input SealedSecret.</span><br><span style=\"background-color: rgb(241, 242, 244);\">By submitting a victim SealedSecret to the rotate endpoint with the</span><br><span style=\"background-color: rgb(241, 242, 244);\">annotation sealedsecrets.bitnami.com/cluster-wide=true injected into the</span><br><span style=\"background-color: rgb(241, 242, 244);\">template metadata, a remote attacker can obtain a rotated version of the</span><br><span style=\"background-color: rgb(241, 242, 244);\">secret that is cluster-wide. This bypasses original \"strict\" or</span><br><span style=\"background-color: rgb(241, 242, 244);\">\"namespace-wide\" constraints, allowing the attacker to retarget and unseal</span><br><span style=\"background-color: rgb(241, 242, 244);\">the secret in any namespace or under any name to recover the plaintext</span><br><span style=\"background-color: rgb(241, 242, 244);\">credentials.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-02-26T00:50:00.863Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22728", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:58:32.372Z", "dateReserved": "2026-01-09T06:54:41.497Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-02-26T00:50:00.863Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bitnami Sealed Secrets\u00a0is vulnerable to a scope-widening attack during\nthe secret rotation (/v1/rotate) flow. The rotation handler derives the\nsealing scope for the newly encrypted output from untrusted\nspec.template.metadata.annotations present in the input SealedSecret.\nBy submitting a victim SealedSecret to the rotate endpoint with the\nannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\ntemplate metadata, a remote attacker can obtain a rotated version of the\nsecret that is cluster-wide. This bypasses original \"strict\" or\n\"namespace-wide\" constraints, allowing the attacker to retarget and unseal\nthe secret in any namespace or under any name to recover the plaintext\ncredentials."}, {"lang": "es", "value": "Bitnami Sealed Secrets es vulnerable a un ataque de ampliaci\u00f3n de alcance durante el flujo de rotaci\u00f3n de secretos (/v1/rotate). El gestor de rotaci\u00f3n deriva el alcance de sellado para la salida reci\u00e9n cifrada de anotaciones no confiables spec.template.metadata.annotations presentes en el SealedSecret de entrada. Al enviar un SealedSecret v\u00edctima al endpoint de rotaci\u00f3n con la anotaci\u00f3n sealedsecrets.bitnami.com/cluster-wide=true inyectada en los metadatos de la plantilla, un atacante remoto puede obtener una versi\u00f3n rotada del secreto que es a nivel de cl\u00faster. Esto elude las restricciones originales 'strict' o 'namespace-wide', permitiendo al atacante reorientar y desellar el secreto en cualquier espacio de nombres o bajo cualquier nombre para recuperar las credenciales en texto plano."}], "id": "CVE-2026-22728", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:20.187", "references": [{"source": "security@vmware.com", "url": "https://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.35.0,0.36.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "sealed-secrets", "source": "cna", "vendor": "Bitnami"}, "product": "sealed-secrets", "vendor": "bitnami"}], "analysis": {"en": {"generated_at": "2026-04-17T14:35:13.011201+00:00", "value": {"mitigation_remediation": ["Apply the latest patch or upgrade Bitnami Sealed Secrets to a version that removes the untrusted annotation source from the rotation process.", "Restrict access to the /v1/rotate API by configuring RBAC rules so that only trusted service accounts or users can perform secret rotation.", "Monitor SealedSecret objects for the presence of the sealedsecrets.bitnami.com/cluster-wide annotation and investigate any unauthorized occurrences.", "Disable the rotation feature if it is not required in your environment."], "summary": {"action": "Patch Immediately", "impact": "Secret Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Bitnami Sealed Secrets component used in Kubernetes clusters. All versions that expose the /v1/rotate API are impacted; no specific version range was provided in the advisory.", "description_and_impact": "Bitnami Sealed Secrets allows secret rotation through the /v1/rotate endpoint. The rotation logic incorrectly derives the sealing scope from untrusted template annotations in the submitted SealedSecret. If an attacker injects the annotation sealedsecrets.bitnami.com/cluster-wide=true, the rotated secret becomes cluster\u2011wide, bypassing namespace restrictions. This permits the attacker to unseal or retrieve the plaintext credentials in any namespace or for any name, resulting in confidential data exposure.", "risk_and_exploitability": "The CVSS score is 4.9, indicating moderate risk, and the EPSS probability is less than 1%, suggesting low exploitation likelihood. The security community has not listed this issue in the CISA KEV catalog. Exploitation requires the ability to submit a SealedSecret to the rotation endpoint, which is typically controlled by users with create permissions in a namespace. A malicious user able to do so can craft a SealedSecret containing the cluster\u2011wide annotation, obtain a rotated cluster\u2011wide secret, and unseal it elsewhere to recover sensitive data."}}}}, "created": "2026-02-26T13:10:14.227165+00:00", "updated": "2026-04-17T14:45:21.026392+00:00", "vendors": ["bitnami", "bitnami$PRODUCT$sealed-secrets"]}