CVE-2026-41050: Secret Leak in Rancher Fleet 0.11.0–0.15.1
Plattform
kubernetes
Komponente
rancher
Behoben in
0.15.1
CVE-2026-41050 affects Rancher Fleet versions 0.11.0 through 0.15.1. This vulnerability arises from an insufficient application of ServiceAccount impersonation within the Helm deployer, enabling a malicious tenant to potentially access sensitive secrets. The flaw allows a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo. A fix is available in version 0.15.1.
Auswirkungen und Angriffsszenarien
The impact of CVE-2026-41050 is severe, potentially leading to widespread secret exposure across multiple Kubernetes clusters. An attacker who gains access to a Fleet-monitored repository and possesses git push privileges can exploit this vulnerability to read secrets stored in any namespace on the downstream clusters. This could include database credentials, API keys, and other sensitive information. Successful exploitation allows for unauthorized access to resources and potentially complete compromise of the affected clusters. The blast radius extends to all namespaces and downstream clusters managed by the vulnerable Fleet instance, making it a critical security concern.
Ausnutzungskontext
CVE-2026-41050 was published on May 13, 2026. Its severity is rated CRITICAL with a CVSS score of 9.9. There is currently no public proof-of-concept (POC) code available. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation at this time. Monitor security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Niedrig — jedes gültige Benutzerkonto ist ausreichend.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserved
- Veröffentlicht
Mitigation und Workarounds
The primary mitigation for CVE-2026-41050 is to immediately upgrade Rancher Fleet to version 0.15.1 or later. If upgrading is not immediately feasible, consider restricting git push access to Fleet-monitored repositories to only trusted users. Review and audit existing GitRepo configurations to identify any potential attack vectors. Implement strict namespace isolation policies and least privilege access controls to limit the impact of a potential breach. Monitor Fleet logs for any suspicious activity related to git operations or ServiceAccount impersonation. After upgrade, confirm by verifying the Helm deployer correctly applies ServiceAccount impersonation by reviewing deployment manifests.
So behebenwird übersetzt…
Actualice Rancher a la versión 0.15.1 o posterior para mitigar la vulnerabilidad. Esta actualización corrige un fallo de seguridad que permitía a los usuarios con acceso a Git leer secretos de otros namespaces, lo que podría comprometer la seguridad de su clúster.
Häufig gestellte Fragen
What is CVE-2026-41050 — Secret Leak in Rancher Fleet?
CVE-2026-41050 is a CRITICAL vulnerability in Rancher Fleet versions 0.11.0–0.15.1 that allows a tenant with git push access to read secrets from any namespace on downstream clusters. This can lead to unauthorized access to sensitive data.
Am I affected by CVE-2026-41050 in Rancher Fleet?
If you are running Rancher Fleet versions 0.11.0 through 0.15.1, you are potentially affected by this vulnerability. Assess your git push access controls and immediately upgrade to mitigate the risk.
How do I fix CVE-2026-41050 in Rancher Fleet?
The recommended fix is to upgrade Rancher Fleet to version 0.15.1 or later. If immediate upgrade is not possible, restrict git push access and review existing configurations.
Is CVE-2026-41050 being actively exploited?
Currently, there is no public proof-of-concept code or reports of active exploitation. However, given the severity, it is crucial to apply the fix promptly.
Where can I find the official Rancher advisory for CVE-2026-41050?
Refer to the official Rancher security advisories page for the latest information and updates regarding CVE-2026-41050: [https://rancher.com/security/](https://rancher.com/security/)
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...