CVE-2026-34984
MEDIUM6.5EPSS 0.04%External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine
Description
## Summary The v2 template engine in `runtime/template/v2/template.go` imports Sprig’s `TxtFuncMap()` and removes `env` and `expandenv`, but leaves `getHostByName` available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or update templated ExternalSecret resources can trigger controller-side DNS lookups using secret-derived values, creating a DNS exfiltration primitive. ### Impact This is a confidentiality issue. In environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller can perform DNS resolution, fetched secret material can be exfiltrated through DNS without requiring direct outbound access from the attacker’s workload.
Affected packages (1)
- Go/github.com/external-secrets/external-secretsfrom 0, < 1.3.3-0.20260331202714-6800989bdc12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34984
- PATCHhttps://github.com/external-secrets/external-secrets
- WEBhttps://github.com/external-secrets/external-secrets/commit/6800989bdc12782ca2605d3b8bf7f2876a16551a
- WEBhttps://github.com/external-secrets/external-secrets/releases/tag/v2.3.0
- WEBhttps://github.com/external-secrets/external-secrets/security/advisories/GHSA-r2pg-r6h7-crf3