CVE-2026-34984

Summary

External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine

Severity

high

EPSS

0.3% (p17)

Also known as

GHSA-r2pg-r6h7-crf3

Published

2026-04-13

References

• https://github.com/external-secrets/external-secrets/security/advisories/GHSA-r2pg-r6h7-crf3
• https://nvd.nist.gov/vuln/detail/CVE-2026-34984
• https://github.com/external-secrets/external-secrets/commit/6800989bdc12782ca2605d3b8bf7f2876a16551a

Related advisories

• CVE-2026-42875 — medium · Go/github.com/external-secrets/external-secrets
• CVE-2026-22822 — medium · Go/github.com/external-secrets/external-secrets

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity