GHSA-765J-QFRP-HM3J

Vulnerability from github – Published: 2026-05-07 01:26 – Updated: 2026-05-14 20:31
VLAI?
Summary
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
Details

Impact

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo.

Helm lookup bypass: The Helm template engine ran Kubernetes API queries with the fleet-agent's cluster-admin credentials instead of the impersonated ServiceAccount. A chart template could therefore access resources beyond the tenant's RBAC scope.

valuesFrom bypass: Secret and ConfigMap references in fleet.yaml helm.valuesFrom were read using the fleet-agent's cluster-admin client. A tenant could reference resources in namespaces the impersonated ServiceAccount has no access to. Both issues break Fleet's multi-tenant impersonation boundary. The leaked credentials may belong to external services, making the full impact non-deterministic. Single-tenant deployments where all users are trusted are not affected.

Important: - For the exposure of additional credentials, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services. - It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.

Please consult the associated MITRE ATT&CK - Technique - Account Access Removal for further information about this category of attack.

Patches

Both issues are fixed by ensuring the Helm action configuration consistently uses the impersonated ServiceAccount credentials throughout all Helm operations.

Patched versions of Rancher include releases v2.14.1, v2.13.5, v2.12.9, and v2.11.13. For Rancher v2.10.11, users must manually update their Fleet deployment to versionv0.11.13.

Workarounds

No workaround fully mitigates the issue for multi-tenant deployments. The patches should be applied as soon as they are available.

The following measures reduce the attack surface but do not close either vulnerability:

  • Restrict git push access to Fleet-monitored repositories to trusted users only. In a multi-tenant setup this removes the precondition entirely, but is often not operationally viable.
  • Use GitRepoRestriction resources to limit which ServiceAccounts each namespace is allowed to use, restricting the set of users who can configure impersonation at all.
  • Audit deployed chart templates for lookup calls and fleet.yaml files for cross-namespace valuesFrom references as a detective control.

Resources

If there are any questions or comments about this advisory:

Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.15.0"
            },
            {
              "fixed": "0.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.0"
            },
            {
              "fixed": "0.14.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.0"
            },
            {
              "fixed": "0.13.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.12.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "0.11.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T01:26:06Z",
    "nvd_published_at": "2026-05-13T08:16:16Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nFleet\u0027s Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.\n\n**Helm `lookup` bypass:** The Helm template engine ran Kubernetes API queries with the fleet-agent\u0027s cluster-admin credentials instead of the impersonated ServiceAccount. A chart template could therefore access resources beyond the tenant\u0027s RBAC scope.\n\n**`valuesFrom` bypass:** Secret and ConfigMap references in `fleet.yaml` `helm.valuesFrom` were read using the fleet-agent\u0027s cluster-admin client. A tenant could reference resources in namespaces the impersonated ServiceAccount has no access to.\nBoth issues break Fleet\u0027s multi-tenant impersonation boundary. The leaked credentials may belong to external services, making the full impact non-deterministic.\nSingle-tenant deployments where all users are trusted are not affected.\n\n**Important:**\n- For the exposure of additional credentials, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services.\n- It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.\n\nPlease consult the associated  [MITRE ATT\u0026CK - Technique - Account Access Removal](https://attack.mitre.org/techniques/T1531/) for further information about this category of attack.\n\n### Patches\n\nBoth issues are fixed by ensuring the Helm action configuration consistently uses the impersonated ServiceAccount credentials throughout all Helm operations.\n\nPatched versions of Rancher include releases `v2.14.1`, `v2.13.5`, `v2.12.9`, and `v2.11.13`. For Rancher `v2.10.11`, users must manually update their Fleet deployment to version`v0.11.13`.\n\n### Workarounds\n\nNo workaround fully mitigates the issue for multi-tenant deployments. The patches should be applied as soon as they are available.\n\nThe following measures reduce the attack surface but do not close either vulnerability:\n\n- Restrict git push access to Fleet-monitored repositories to trusted users only. In a multi-tenant setup this removes the precondition entirely, but is often not operationally viable.\n- Use `GitRepoRestriction` resources to limit which ServiceAccounts each namespace is allowed to use, restricting the set of users who can configure impersonation at all.\n- Audit deployed chart templates for `lookup` calls and `fleet.yaml` files for cross-namespace `valuesFrom` references as a detective control.\n\n### Resources\n\nIf there are any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify using the [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
  "id": "GHSA-765j-qfrp-hm3j",
  "modified": "2026-05-14T20:31:35Z",
  "published": "2026-05-07T01:26:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/fleet/security/advisories/GHSA-765j-qfrp-hm3j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41050"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41050"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/fleet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.