Search criteria
2 vulnerabilities by bitnami
CVE-2026-22728 (GCVE-0-2026-22728)
Vulnerability from cvelistv5 – Published: 2026-02-26 00:50 – Updated: 2026-02-26 15:58
VLAI?
Title
sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations
Summary
Bitnami Sealed Secrets is vulnerable to a scope-widening attack during
the secret rotation (/v1/rotate) flow. The rotation handler derives the
sealing scope for the newly encrypted output from untrusted
spec.template.metadata.annotations present in the input SealedSecret.
By submitting a victim SealedSecret to the rotate endpoint with the
annotation sealedsecrets.bitnami.com/cluster-wide=true injected into the
template metadata, a remote attacker can obtain a rotated version of the
secret that is cluster-wide. This bypasses original "strict" or
"namespace-wide" constraints, allowing the attacker to retarget and unseal
the secret in any namespace or under any name to recover the plaintext
credentials.
Severity ?
4.9 (Medium)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bitnami | sealed-secrets |
Affected:
0.35.0 , < <0.36.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T15:58:00.603738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:58:32.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "sealed-secrets",
"vendor": "Bitnami",
"versions": [
{
"lessThan": "\u003c0.36.0",
"status": "affected",
"version": "0.35.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003eBitnami \u003c/span\u003e\u003cb\u003eSealed Secrets\u003c/b\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003e\u0026nbsp;is vulnerable to a scope-widening attack during\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003ethe secret rotation (/v1/rotate) flow. The rotation handler derives the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003esealing scope for the newly encrypted output from untrusted\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003espec.template.metadata.annotations present in the input SealedSecret.\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003eBy submitting a victim SealedSecret to the rotate endpoint with the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003eannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003etemplate metadata, a remote attacker can obtain a rotated version of the\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003esecret that is cluster-wide. This bypasses original \"strict\" or\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003e\"namespace-wide\" constraints, allowing the attacker to retarget and unseal\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003ethe secret in any namespace or under any name to recover the plaintext\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(241, 242, 244);\"\u003ecredentials.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Bitnami Sealed Secrets\u00a0is vulnerable to a scope-widening attack during\nthe secret rotation (/v1/rotate) flow. The rotation handler derives the\nsealing scope for the newly encrypted output from untrusted\nspec.template.metadata.annotations present in the input SealedSecret.\nBy submitting a victim SealedSecret to the rotate endpoint with the\nannotation sealedsecrets.bitnami.com/cluster-wide=true injected into the\ntemplate metadata, a remote attacker can obtain a rotated version of the\nsecret that is cluster-wide. This bypasses original \"strict\" or\n\"namespace-wide\" constraints, allowing the attacker to retarget and unseal\nthe secret in any namespace or under any name to recover the plaintext\ncredentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T00:50:00.863Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/bitnami-labs/sealed-secrets/security/advisories/GHSA-465p-v42x-3fmj"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22728",
"datePublished": "2026-02-26T00:50:00.863Z",
"dateReserved": "2026-01-09T06:54:41.497Z",
"dateUpdated": "2026-02-26T15:58:32.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-21979 (GCVE-0-2021-21979)
Vulnerability from cvelistv5 – Published: 2021-03-03 16:15 – Updated: 2024-08-03 18:30
VLAI?
Summary
In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions. This value is crucial for the security of the application and must be randomly generated per Laravel installation. If your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application.
Severity ?
No CVSS data available.
CWE
- APP_KEY fixed in the container image
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Bitnami Containers |
Affected:
All Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:30:23.518Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bitnami/bitnami-docker-laravel/issues/139"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitnami Containers",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions. This value is crucial for the security of the application and must be randomly generated per Laravel installation. If your application\u0027s encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "APP_KEY fixed in the container image",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-03T16:15:14.000Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bitnami/bitnami-docker-laravel/issues/139"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vmware.com",
"ID": "CVE-2021-21979",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitnami Containers",
"version": {
"version_data": [
{
"version_value": "All Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions. This value is crucial for the security of the application and must be randomly generated per Laravel installation. If your application\u0027s encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "APP_KEY fixed in the container image"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bitnami/bitnami-docker-laravel/issues/139",
"refsource": "MISC",
"url": "https://github.com/bitnami/bitnami-docker-laravel/issues/139"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2021-21979",
"datePublished": "2021-03-03T16:15:14.000Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:30:23.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}