CVE-2026-41050 - Vulnerability Details - OpenCVE

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/digital-risk-protection
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41050
https://github.com/advisories/GHSA-765j-qfrp-hm3j

History

Wed, 13 May 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.
Title		Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
Weaknesses		CWE-863
References		https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41050 https://github.com/advisories/GHSA-765j-qfrp-hm3j
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2026-05-13T08:04:57.293Z

Updated: 2026-05-13T08:05:26.978Z

Reserved: 2026-04-16T13:37:50.679Z

Link: CVE-2026-41050

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41050", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2026-04-16T13:37:50.679Z", "datePublished": "2026-05-13T08:04:57.293Z", "dateUpdated": "2026-05-13T08:05:26.978Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-05-13T08:05:26.978Z"}, "title": "Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SUSE", "product": "Rancher", "packageName": "github.com/rancher/fleet", "versions": [{"status": "affected", "version": "0.15.0", "lessThan": "0.15.1", "versionType": "semver"}, {"status": "affected", "version": "0.14.0", "lessThan": "0.14.5", "versionType": "semver"}, {"status": "affected", "version": "0.13.0", "lessThan": "0.13.10", "versionType": "semver"}, {"status": "affected", "version": "0.12.0", "lessThan": "0.12.14", "versionType": "semver"}, {"status": "affected", "version": "0.11.0", "lessThan": "0.11.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`."}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41050"}, {"url": "https://github.com/advisories/GHSA-765j-qfrp-hm3j"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "https://github.com/kodareef5", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}