diff --git a/barbican_tempest_plugin/services/key_manager/json/secret_client.py b/barbican_tempest_plugin/services/key_manager/json/secret_client.py
index 5eb97b5..414a5d4 100644
--- a/barbican_tempest_plugin/services/key_manager/json/secret_client.py
+++ b/barbican_tempest_plugin/services/key_manager/json/secret_client.py
@@ -15,6 +15,7 @@
 
 
 import json
+import urllib.parse
 
 from tempest import config
 from tempest.lib.common.utils import data_utils
@@ -73,12 +74,21 @@ class SecretClient(base.BarbicanTempestClient):
         self.expected_success(200, resp.status)
         return self._parse_resp(body)
 
-    def get_secret_payload(self, secret_id):
+    def get_secret_payload(self, secret_id, **kwargs):
+        """GET /v1/secrets/{secret_id}/payload
+
+        Retrieve the payload.If kwargs are provided they are added
+        to the request as query string parameters.
+        """
         content_headers = {
             "Accept": "application/octet-stream"
         }
-        resp, body = self.get("v1/secrets/%s/payload" % secret_id,
-                              headers=content_headers)
+        uri = "v1/secrets/{}/payload".format(secret_id)
+        if kwargs:
+            uri += '?'
+            uri += urllib.parse.urlencode(kwargs)
+
+        resp, body = self.get(uri, headers=content_headers)
         self.expected_success(200, resp.status)
         return self._parse_resp(body)
 
diff --git a/barbican_tempest_plugin/tests/api/test_cve_2022_3100.py b/barbican_tempest_plugin/tests/api/test_cve_2022_3100.py
new file mode 100644
index 0000000..84c35e2
--- /dev/null
+++ b/barbican_tempest_plugin/tests/api/test_cve_2022_3100.py
@@ -0,0 +1,42 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+from barbican_tempest_plugin.tests.rbac.v1 import base
+from oslo_log import log as logging
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+
+
+CONF = config.CONF
+LOG = logging.getLogger(__name__)
+
+
+class CVE20223100Test(base.BarbicanV1RbacBase):
+
+    @decorators.idempotent_id('459159ef-9670-4c59-8528-09466185c84e')
+    def test_cve_2022_3100(self):
+        # create a secret that belongs to Project B
+        secret_id = self.create_test_secret(
+            self.other_secret_client,
+            data_utils.rand_name('secret-under-test'),
+            'DONT_CVE_ME_PLZ')
+
+        # attempt to retrieve secret payload with user from Project A
+        # using CVE exploit (e.g. by adding the query string
+        # ?target.secret.read=read to the request)
+        query = {'target.secret.read': 'read'}
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.secret_client.get_secret_payload,
+            secret_id,
+            **query)