Search

Find a vulnerability

Search criteria

    Related vulnerabilities

    GHSA-HX4V-CXPF-VH8M

    Vulnerability from github – Published: 2026-07-01 20:45 – Updated: 2026-07-01 20:45
    VLAI
    Summary
    Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml
    Details

    Impact

    A vulnerability has been identified in Fleet when the helmRepoURLRegex field isn't set on a GitRepo resource. Fleet's bundle reader forwards Helm authentication credentials (BasicAuth) to any URL specified in the helm.repo field of a fleet.yaml file.

    An attacker with git push access to a Fleet-monitored repository can exploit this behavior by specifying a malicious URL in helm.repo. This causes the Fleet controller to send the configured Helm repository credentials to the attacker’s server.

    As a result, the attacker can capture the username and password that an administrator configured to access a private Helm chart repository. However, the response body from the attacker's server isn't included in the error message (this behavior was fixed in Fleet v0.13.3 and later), which prevents additional internal data from leaking through the status condition.

    The final severity of this vulnerability depends on the specific permissions of the leaked credentials.

    Fleet recommends you to: 1. Review your system for potentially leaked credentials. 2. Replace any credentials that might be compromised.

    Please consult the associated MITRE ATT&CK - Technique - Stored Data Manipulation and MITRE ATT&CK - Technique - Steal Application Access Token for further information about this category of attack.

    Patches

    To resolve this vulnerability, upgrade to a patched version of Fleet. The patched version of Fleet now requires you to set the helmRepoURLRegex field on the GitRepo. If the helmRepoURLRegex is empty or missing, Fleet won’t send credentials, regardless of the URL specified in fleet.yaml.

    When you upgrade, a Helm pre-upgrade job automatically migrates existing GitRepo resources that have helmSecretName or helmSecretNameForPaths configured but lack a helmRepoURLRegex. The migration job performs the following actions:

    The job extracts the scheme and host from the Helm repository URLs already stored in the resource's Bundles. For example, a GitRepo with Bundles referencing https://charts.example.com/stable receives helmRepoURLRegex: "^https://charts\.example\.com/". This limits credential forwarding to the origins already in use before the upgrade. Migrated resources are annotated with fleet.cattle.io/helm-regex-auto-migrated: "true" so you can easily audit them.

    If no Bundles with Helm repository URLs exist during the migration (for example, if the GitRepo has never successfully synced), helmRepoURLRegex remains empty and credentials aren't forwarded. You must set this field manually before Fleet will send credentials.

    The migration job runs only once per installation and records its status in a ConfigMap named fleet-helm-url-regex-migrated in the Fleet system namespace. Any GitRepo resources you create after the upgrade require an explicit helmRepoURLRegex to forward credentials.

    Patched versions of Fleet include releases v0.15.2, v0.14.6, 0.13.11, and v0.12.15.

    Workarounds

    If you cannot immediately upgrade to a patched version, use the following methods to mitigate the risk and audit your environment. Set helmRepoURLRegex on all GitRepo resources that use helmSecretName. Ensure the regular expression matches only your legitimate Helm repository URL.

    Example configuration:

    apiVersion: fleet.cattle.io/v1alpha1
    kind: GitRepo
    metadata:
      name: my-app
      namespace: fleet-local
    spec:
      repo: https://git.example.com/org/my-app.git
      helmSecretName: helm-creds
      helmRepoURLRegex: "^https://charts\\.example\\.com/.*"
    

    After upgrading to a patched version, review all auto-migrated GitRepo resources by running the following command:

    kubectl get gitrepo -A -o json | \
      jq -r '.items[] | select(.metadata.annotations["fleet.cattle.io/helm-regex-auto-migrated"] == "true") | "\(.metadata.namespace)/\(.metadata.name): \(.spec.helmRepoURLRegex)"'
    

    Verify that the auto-derived regular expression matches only your intended Helm repository origins. If a regular expression is broader than necessary, replace it with a more specific pattern.

    Credits

    This security issue was reported by the following collaborators according to our responsible disclosure policy:

    • Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).
    • FluentLogic's security team.

    References

    If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.

    Show details on source website

    {
      "affected": [
        {
          "package": {
            "ecosystem": "Go",
            "name": "github.com/rancher/fleet"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0.15.0"
                },
                {
                  "fixed": "0.15.2"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        },
        {
          "package": {
            "ecosystem": "Go",
            "name": "github.com/rancher/fleet"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0.14.0"
                },
                {
                  "fixed": "0.14.6"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        },
        {
          "package": {
            "ecosystem": "Go",
            "name": "github.com/rancher/fleet"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0.13.0"
                },
                {
                  "fixed": "0.13.11"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        },
        {
          "package": {
            "ecosystem": "Go",
            "name": "github.com/rancher/fleet"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0.12.0"
                },
                {
                  "fixed": "0.12.15"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        }
      ],
      "aliases": [
        "CVE-2026-44936"
      ],
      "database_specific": {
        "cwe_ids": [
          "CWE-918"
        ],
        "github_reviewed": true,
        "github_reviewed_at": "2026-07-01T20:45:05Z",
        "nvd_published_at": null,
        "severity": "MODERATE"
      },
      "details": "### Impact\nA vulnerability has been identified in Fleet when the `helmRepoURLRegex` field isn\u0027t set on a `GitRepo` resource. Fleet\u0027s bundle reader forwards Helm authentication credentials (`BasicAuth`) to any URL specified in the `helm.repo` field of a `fleet.yaml` file.\n\nAn attacker with git push access to a Fleet-monitored repository can exploit this behavior by specifying a malicious URL in `helm.repo`. This causes the Fleet controller to send the configured Helm repository credentials to the attacker\u2019s server. \n\nAs a result, the attacker can capture the username and password that an administrator configured to access a private Helm chart repository. However, the response body from the attacker\u0027s server isn\u0027t included in the error message (this behavior was fixed in Fleet `v0.13.3` and later), which prevents additional internal data from leaking through the status condition.\n\nThe final severity of this vulnerability depends on the specific permissions of the leaked credentials. \n\nFleet recommends you to:\n1. Review your system for potentially leaked credentials.\n2. Replace any credentials that might be compromised.\n\nPlease consult the associated [MITRE ATT\u0026CK - Technique - Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/) and [MITRE ATT\u0026CK - Technique - Steal Application Access Token](https://attack.mitre.org/techniques/T1528/) for further information about this category of attack.\n\n### Patches\nTo resolve this vulnerability, upgrade to a patched version of Fleet. The patched version of Fleet now requires you to set the `helmRepoURLRegex` field on the `GitRepo`. If the `helmRepoURLRegex` is empty or missing, Fleet won\u2019t send credentials, regardless of the URL specified in `fleet.yaml`.\n \nWhen you upgrade, a Helm pre-upgrade job automatically migrates existing `GitRepo` resources that have `helmSecretName` or `helmSecretNameForPaths` configured but lack a `helmRepoURLRegex`. The migration job performs the following actions:\n\nThe job extracts the scheme and host from the Helm repository URLs already stored in the resource\u0027s Bundles. For example, a `GitRepo` with Bundles referencing `https://charts.example.com/stable` receives `helmRepoURLRegex: \"^https://charts\\.example\\.com/\"`. This limits credential forwarding to the origins already in use before the upgrade.\nMigrated resources are annotated with `fleet.cattle.io/helm-regex-auto-migrated: \"true\"` so you can easily audit them.\n\nIf no Bundles with Helm repository URLs exist during the migration (for example, if the `GitRepo` has never successfully synced), `helmRepoURLRegex` remains empty and credentials aren\u0027t forwarded. You must set this field manually before Fleet will send credentials.\n\nThe migration job runs only once per installation and records its status in a `ConfigMap` named `fleet-helm-url-regex-migrated` in the Fleet system namespace. Any `GitRepo` resources you create after the upgrade require an explicit `helmRepoURLRegex` to forward credentials.\n\nPatched versions of Fleet include releases `v0.15.2`, `v0.14.6`, `0.13.11`, and `v0.12.15`.\n\n### Workarounds\nIf you cannot immediately upgrade to a patched version, use the following methods to mitigate the risk and audit your environment.\nSet `helmRepoURLRegex` on all `GitRepo` resources that use `helmSecretName`. Ensure the regular expression matches only your legitimate Helm repository URL. \n\nExample configuration:\n```yaml\napiVersion: fleet.cattle.io/v1alpha1\nkind: GitRepo\nmetadata:\n  name: my-app\n  namespace: fleet-local\nspec:\n  repo: https://git.example.com/org/my-app.git\n  helmSecretName: helm-creds\n  helmRepoURLRegex: \"^https://charts\\\\.example\\\\.com/.*\"\n```\n\nAfter upgrading to a patched version, review all auto-migrated `GitRepo` resources by running the following command:\n\n``` \nkubectl get gitrepo -A -o json | \\\n  jq -r \u0027.items[] | select(.metadata.annotations[\"fleet.cattle.io/helm-regex-auto-migrated\"] == \"true\") | \"\\(.metadata.namespace)/\\(.metadata.name): \\(.spec.helmRepoURLRegex)\"\u0027\n```\n\nVerify that the auto-derived regular expression matches only your intended Helm repository origins. If a regular expression is broader than necessary, replace it with a more specific pattern.\n\n### Credits\n\nThis security issue was reported by the following collaborators according to our responsible disclosure policy:\n\n- Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).\n- FluentLogic\u0027s security team.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
      "id": "GHSA-hx4v-cxpf-vh8m",
      "modified": "2026-07-01T20:45:05Z",
      "published": "2026-07-01T20:45:05Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/rancher/fleet/security/advisories/GHSA-hx4v-cxpf-vh8m"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/rancher/fleet"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
          "type": "CVSS_V3"
        }
      ],
      "summary": "Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml"
    }

    WID-SEC-W-2026-1715

    Vulnerability from csaf_certbund - Published: 2026-05-27 22:00 - Updated: 2026-05-27 22:00
    Summary
    Fleet: Mehrere Schwachstellen
    Severity
    Hoch
    Notes
    Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
    Produktbeschreibung: Fleet ist eine Open-Source-Plattform zur Geräteverwaltung, die es Unternehmen ermöglicht, ihre Infrastruktur zu überwachen und zu sichern.
    Angriff: Ein Angreifer kann mehrere Schwachstellen in Fleet ausnutzen, um Sicherheitsmechanismen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand herbeizuführen oder Sicherheitskonfigurationen zu manipulieren.
    Betroffene Betriebssysteme: - Linux - UNIX
    Affected products
    Product Identifier Version Remediation
    Open Source Fleet <0.12.15
    Open Source / Fleet
    <0.12.15
    Open Source Fleet <0.13.11
    Open Source / Fleet
    <0.13.11
    Open Source Fleet <0.14.6
    Open Source / Fleet
    <0.14.6
    Open Source Fleet <0.15.2
    Open Source / Fleet
    <0.15.2
    Affected products
    Product Identifier Version Remediation
    Open Source Fleet <0.12.15
    Open Source / Fleet
    <0.12.15
    Open Source Fleet <0.13.11
    Open Source / Fleet
    <0.13.11
    Open Source Fleet <0.14.6
    Open Source / Fleet
    <0.14.6
    Open Source Fleet <0.15.2
    Open Source / Fleet
    <0.15.2
    Affected products
    Product Identifier Version Remediation
    Open Source Fleet <0.12.15
    Open Source / Fleet
    <0.12.15
    Open Source Fleet <0.13.11
    Open Source / Fleet
    <0.13.11
    Open Source Fleet <0.14.6
    Open Source / Fleet
    <0.14.6
    Open Source Fleet <0.15.2
    Open Source / Fleet
    <0.15.2
    Affected products
    Product Identifier Version Remediation
    Open Source Fleet <0.12.15
    Open Source / Fleet
    <0.12.15
    Open Source Fleet <0.13.11
    Open Source / Fleet
    <0.13.11
    Open Source Fleet <0.14.6
    Open Source / Fleet
    <0.14.6
    Open Source Fleet <0.15.2
    Open Source / Fleet
    <0.15.2

    {
      "document": {
        "aggregate_severity": {
          "text": "hoch"
        },
        "category": "csaf_base",
        "csaf_version": "2.0",
        "distribution": {
          "tlp": {
            "label": "WHITE",
            "url": "https://www.first.org/tlp/"
          }
        },
        "lang": "de-DE",
        "notes": [
          {
            "category": "legal_disclaimer",
            "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
          },
          {
            "category": "description",
            "text": "Fleet ist eine Open-Source-Plattform zur Ger\u00e4teverwaltung, die es Unternehmen erm\u00f6glicht, ihre Infrastruktur zu \u00fcberwachen und zu sichern.",
            "title": "Produktbeschreibung"
          },
          {
            "category": "summary",
            "text": "Ein Angreifer kann mehrere Schwachstellen in Fleet ausnutzen, um Sicherheitsmechanismen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand herbeizuf\u00fchren oder Sicherheitskonfigurationen zu manipulieren.",
            "title": "Angriff"
          },
          {
            "category": "general",
            "text": "- Linux\n- UNIX",
            "title": "Betroffene Betriebssysteme"
          }
        ],
        "publisher": {
          "category": "other",
          "contact_details": "csaf-provider@cert-bund.de",
          "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
          "namespace": "https://www.bsi.bund.de"
        },
        "references": [
          {
            "category": "self",
            "summary": "WID-SEC-W-2026-1715 - CSAF Version",
            "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1715.json"
          },
          {
            "category": "self",
            "summary": "WID-SEC-2026-1715 - Portal Version",
            "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1715"
          },
          {
            "category": "external",
            "summary": "GitHub Security Advisory GHSA-xr65-5cpm-g36x vom 2026-05-27",
            "url": "https://github.com/rancher/fleet/security/advisories/GHSA-xr65-5cpm-g36x"
          },
          {
            "category": "external",
            "summary": "GitHub Security Advisory GHSA-hx4v-cxpf-vh8m vom 2026-05-27",
            "url": "https://github.com/rancher/fleet/security/advisories/GHSA-hx4v-cxpf-vh8m"
          },
          {
            "category": "external",
            "summary": "GitHub Security Advisory GHSA-jmf4-m7j9-g72r vom 2026-05-27",
            "url": "https://github.com/rancher/fleet/security/advisories/GHSA-jmf4-m7j9-g72r"
          },
          {
            "category": "external",
            "summary": "GitHub Security Advisory GHSA-864g-863m-vcvq vom 2026-05-27",
            "url": "https://github.com/rancher/fleet/security/advisories/GHSA-864g-863m-vcvq"
          }
        ],
        "source_lang": "en-US",
        "title": "Fleet: Mehrere Schwachstellen",
        "tracking": {
          "current_release_date": "2026-05-27T22:00:00.000+00:00",
          "generator": {
            "date": "2026-05-28T11:45:32.727+00:00",
            "engine": {
              "name": "BSI-WID",
              "version": "1.6.0"
            }
          },
          "id": "WID-SEC-W-2026-1715",
          "initial_release_date": "2026-05-27T22:00:00.000+00:00",
          "revision_history": [
            {
              "date": "2026-05-27T22:00:00.000+00:00",
              "number": "1",
              "summary": "Initiale Fassung"
            }
          ],
          "status": "final",
          "version": "1"
        }
      },
      "product_tree": {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c0.15.2",
                    "product": {
                      "name": "Open Source Fleet \u003c0.15.2",
                      "product_id": "T054833"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "0.15.2",
                    "product": {
                      "name": "Open Source Fleet 0.15.2",
                      "product_id": "T054833-fixed",
                      "product_identification_helper": {
                        "cpe": "cpe:/a:fleetdm:fleet:0.15.2"
                      }
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "\u003c0.14.6",
                    "product": {
                      "name": "Open Source Fleet \u003c0.14.6",
                      "product_id": "T054834"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "0.14.6",
                    "product": {
                      "name": "Open Source Fleet 0.14.6",
                      "product_id": "T054834-fixed",
                      "product_identification_helper": {
                        "cpe": "cpe:/a:fleetdm:fleet:0.14.6"
                      }
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "\u003c0.13.11",
                    "product": {
                      "name": "Open Source Fleet \u003c0.13.11",
                      "product_id": "T054835"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "0.13.11",
                    "product": {
                      "name": "Open Source Fleet 0.13.11",
                      "product_id": "T054835-fixed",
                      "product_identification_helper": {
                        "cpe": "cpe:/a:fleetdm:fleet:0.13.11"
                      }
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "\u003c0.12.15",
                    "product": {
                      "name": "Open Source Fleet \u003c0.12.15",
                      "product_id": "T054836"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "0.12.15",
                    "product": {
                      "name": "Open Source Fleet 0.12.15",
                      "product_id": "T054836-fixed",
                      "product_identification_helper": {
                        "cpe": "cpe:/a:fleetdm:fleet:0.12.15"
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "Fleet"
              }
            ],
            "category": "vendor",
            "name": "Open Source"
          }
        ]
      },
      "vulnerabilities": [
        {
          "cve": "CVE-2026-44935",
          "product_status": {
            "known_affected": [
              "T054836",
              "T054835",
              "T054834",
              "T054833"
            ]
          },
          "release_date": "2026-05-27T22:00:00.000+00:00",
          "title": "CVE-2026-44935"
        },
        {
          "cve": "CVE-2026-44936",
          "product_status": {
            "known_affected": [
              "T054836",
              "T054835",
              "T054834",
              "T054833"
            ]
          },
          "release_date": "2026-05-27T22:00:00.000+00:00",
          "title": "CVE-2026-44936"
        },
        {
          "cve": "CVE-2026-44937",
          "product_status": {
            "known_affected": [
              "T054836",
              "T054835",
              "T054834",
              "T054833"
            ]
          },
          "release_date": "2026-05-27T22:00:00.000+00:00",
          "title": "CVE-2026-44937"
        },
        {
          "cve": "CVE-2026-44938",
          "product_status": {
            "known_affected": [
              "T054836",
              "T054835",
              "T054834",
              "T054833"
            ]
          },
          "release_date": "2026-05-27T22:00:00.000+00:00",
          "title": "CVE-2026-44938"
        }
      ]
    }