Bitnami Sealed Secrets is a Kubernetes controller that encrypts secrets so they can be safely stored in version control. In version 0.35.0, the secret rotation endpoint (/v1/rotate) contains a vulnerability (CVE-2026-22728) classified under CWE-284 (Improper Access Control). During secret rotation, the handler derives the sealing scope for the new encrypted secret from the annotations in the input SealedSecret's template metadata. However, these annotations are untrusted user input and can be manipulated. By injecting the annotation sealedsecrets.bitnami.com/cluster-wide=true, an attacker with authenticated access to the rotate endpoint can escalate the scope of the rotated secret from namespace-restricted to cluster-wide. This bypasses the original strict or namespace-wide constraints, allowing the attacker to retarget and unseal the secret in any namespace or under any name, thereby recovering plaintext credentials. The vulnerability requires high privileges (authenticated user) but no user interaction. The CVSS v3.1 base score is 4.9 (medium), reflecting network attack vector, low attack complexity, required privileges, and high confidentiality impact without integrity or availability impact. No patches have been published yet, and no known exploits are reported in the wild. This flaw highlights the risk of trusting unvalidated metadata in Kubernetes controllers managing sensitive data.

The primary impact of CVE-2026-22728 is unauthorized disclosure of sensitive secrets stored in Kubernetes clusters using Bitnami Sealed Secrets 0.35.0. By exploiting this vulnerability, an attacker with authenticated access to the secret rotation endpoint can escalate the scope of secrets from namespace-limited to cluster-wide. This allows the attacker to decrypt secrets across namespaces, potentially exposing credentials, API keys, or other sensitive configuration data. Such exposure can lead to lateral movement within the cluster, privilege escalation, and compromise of critical workloads. Organizations relying on sealed-secrets for secure secret management face increased risk of data breaches and operational disruption. Although exploitation requires authenticated access, the widespread use of Kubernetes and Bitnami Sealed Secrets in cloud-native environments means many organizations globally could be affected. The vulnerability undermines the confidentiality guarantees of sealed-secrets, impacting trust in secret management workflows.

To mitigate CVE-2026-22728, organizations should: 1) Restrict access to the /v1/rotate endpoint to only highly trusted and authenticated users or service accounts, minimizing the attack surface. 2) Implement strict RBAC policies in Kubernetes to limit who can invoke secret rotation operations. 3) Monitor and audit usage of the rotate endpoint and SealedSecret annotations for suspicious or unauthorized modifications, especially the sealedsecrets.bitnami.com/cluster-wide annotation. 4) Avoid using version 0.35.0 of Bitnami Sealed Secrets until an official patch is released; upgrade to a fixed version once available. 5) Consider additional encryption or access controls external to sealed-secrets for highly sensitive secrets. 6) Review and validate all input metadata in secret rotation workflows to prevent injection of unauthorized annotations. 7) Employ network segmentation and zero-trust principles to limit exposure of Kubernetes API endpoints. These targeted measures go beyond generic advice by focusing on controlling access to the vulnerable rotation functionality and monitoring for exploitation attempts.