CVE-2026-22728: The Old Switcheroo: Unsealing Secrets via Metadata Manipulation in Bitnami Sealed Secrets

The Old Switcheroo: Unsealing Secrets via Metadata Manipulation in Bitnami Sealed Secrets Vulnerability ID: CVE-2026-22728 CVSS Score: 4.9 Published: 2026-02-26 Bitnami Sealed Secrets, the standard-bearer for GitOps secret management, contains a logic flaw in its key rotation mechanism that allows attackers to widen the scope of encrypted secrets. By injecting malicious metadata during the rotation process, an attacker can transform a strictly scoped secret (bound to a specific namespace) into a cluster-wide secret, subsequently recovering the plaintext credentials. This vulnerability highlights a classic 'Time-of-Check to Time-of-Use' (TOCTOU) style disconnect between the decryption and re-encryption phases. TL;DR A logic flaw in the /v1/rotate endpoint allows attackers to bypass scope restrictions. By modifying the metadata of a SealedSecret during rotation, an attacker can force the controller to re-encrypt a restricted secret as 'cluster-wide,' enabling them to decrypt it in any na