CVE-2026-41050

Summary

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo.

Affected Software

VendorProductVersion RangeStatus
SUSERancher0.15.0 < 0.15.1affected
SUSERancher0.14.0 < 0.14.5affected
SUSERancher0.13.0 < 0.13.10affected
SUSERancher0.12.0 < 0.12.14affected
SUSERancher0.11.0 < 0.11.13affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References