CVE-2026-41050: Secret Leak in Rancher Fleet 0.11.0–0.15.1
Platform
kubernetes
Component
rancher
Fixed in
0.15.1
CVE-2026-41050 affects Rancher Fleet versions 0.11.0 through 0.15.1. This vulnerability stems from an insufficient application of ServiceAccount impersonation within the Helm deployer, allowing malicious actors to potentially access sensitive secrets. The impact is severe, as a compromised tenant can read secrets from any namespace on downstream clusters. The vulnerability has been resolved in version 0.15.1.
Impact and Attack Scenarios
The core of this vulnerability lies in Fleet's Helm deployer's handling of ServiceAccount impersonation. A tenant possessing git push access to a Fleet-monitored repository can exploit this flaw. By crafting malicious Helm charts and pushing them to the repository, the tenant can trigger the deployer to execute actions with elevated privileges on downstream Kubernetes clusters. This allows them to read secrets stored within any namespace on those clusters, effectively bypassing standard Kubernetes security controls. The blast radius extends to all downstream clusters managed by the affected Fleet instance, potentially exposing a wide range of sensitive data, including database credentials, API keys, and encryption keys. This could lead to complete compromise of the targeted clusters and the data they contain.
Exploitation Context
CVE-2026-41050 was published on May 13, 2026. Its severity is rated CRITICAL with a CVSS score of 9.9. There is no indication of this vulnerability being listed on KEV or having an EPSS score at this time. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests that it could be relatively easy to exploit once a suitable POC is developed. Active campaigns targeting this vulnerability are not currently known, but the high severity warrants close monitoring.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-41050 is to immediately upgrade Rancher Fleet to version 0.15.1 or later. This version contains the necessary fixes to properly enforce ServiceAccount impersonation. If an immediate upgrade is not feasible, consider restricting git push access to Fleet-monitored repositories to only trusted users. Implement strict namespace isolation policies within your Kubernetes clusters to limit the potential impact of a compromised tenant. Review and audit all Helm charts deployed by Fleet for any suspicious activity. After upgrading, verify the fix by attempting to deploy a Helm chart from a tenant with git push access and confirming that the chart does not have access to secrets outside of its designated namespace.
How to fix
Actualice Rancher a la versión 0.15.1 o posterior para mitigar la vulnerabilidad. Esta actualización corrige un fallo de seguridad que permitía a los usuarios con acceso a Git leer secretos de otros namespaces, lo que podría comprometer la seguridad de su clúster.
Frequently asked questions
What is CVE-2026-41050 — Secret Leak in Rancher Fleet?
CVE-2026-41050 is a critical vulnerability in Rancher Fleet versions 0.11.0–0.15.1 that allows a tenant with git push access to read secrets from any namespace on downstream clusters due to insufficient ServiceAccount impersonation.
Am I affected by CVE-2026-41050 in Rancher Fleet?
You are affected if you are running Rancher Fleet versions 0.11.0 through 0.15.1 and have tenants with git push access to Fleet-monitored repositories.
How do I fix CVE-2026-41050 in Rancher Fleet?
Upgrade Rancher Fleet to version 0.15.1 or later to remediate the vulnerability. Restrict git push access to Fleet-monitored repositories as an interim measure.
Is CVE-2026-41050 being actively exploited?
There are currently no reports of active exploitation, but the high severity warrants close monitoring and proactive mitigation.
Where can I find the official Rancher Fleet advisory for CVE-2026-41050?
Refer to the official Rancher Fleet security advisories on the Rancher website for the latest information and updates regarding CVE-2026-41050.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...