Overview

A critical security flaw has been discovered in three popular Bitnami Helm charts—WordPressAppsmith, and Drupal—which could allow remote attackers to access sensitive Kubernetes secrets via predictable URL paths.

Technical Details

The vulnerability stems from the charts mounting Kubernetes secrets under a predictable path (/opt/bitnami/*/secrets) located within the web server’s document root. If the application is exposed externally and the default setting usePasswordFiles=true is used, secrets may be accessible via HTTP/S without authentication.

  • CVE ID: CVE-2025-41240
  • Severity: Critical (CVSS v3 Score: 10.0)
  • Attack Vector: Network
  • Privileges Required: None
  • User Interaction: None
  • Impact: High confidentiality, integrity, and availability risks

 

Affected Devices

  • bitnami/wordpress: Versions ≥ 24.2.0 and < 25.0.4
  • bitnami/appsmith: Versions ≥ 5.2.0 and < 6.0.19
  • bitnami/drupal: Versions ≥ 21.2.0 and < 22.0.4

 

Recommended Remediations

ctrl:cyber recommends to patch affected deployments immediately and review configurations to prevent unauthorised access to sensitive data.

  • Upgrade to at least the nearest patched version of each chart:
    • WordPress: 25.0.4
    • Appsmith: 6.0.19
    • Drupal: 22.0.4
  • Workaround Options:
    • Set usePasswordFiles=false to use environment variables instead of mounting secrets as files.
    • Apply web server or ingress rules to restrict access to the secrets path.

Sources: Bitnami (GitHub), CVE details, Tenable