CRITICALCVE-2026-41050Published 2026-05-13Modified 2026-05-14CNA suse

CVE-2026-41050: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: 0.11.13
Affected Products: 1

Fix available

0.11.130.12.140.13.100.14.50.15.1

Affected packages

SUSE / Rancher
< 0.15.1 (from 0.15.0) · < 0.14.5 (from 0.14.0) · < 0.13.10 (from 0.13.0) · < 0.12.14 (from 0.12.0) · < 0.11.13 (from 0.11.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

bugzilla.suse.com
github.com

Metrics

Fix available