CVE-2026-41050

Aliases:GHSA-765j-qfrp-hm3j
Awaiting Analysis
Published: 13 May 2026, 08:04
Last modified:13 May 2026, 10:49

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.9 CRITICAL
v3.1 (cve.org)
EPSS Score
0.04% LOW
0% probability
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

13 May 2026, 08:04
Published
Vulnerability first disclosed
13 May 2026, 10:49
Last Modified
Vulnerability information updated

Description

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.

CVSS Metrics

  • v3.1CRITICALScore: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.04% Percentile: 12%

Techniques & Countermeasures

  • CWE-863Incorrect Authorization

    The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Affected Systems

  • github.com/rancherfleet

    ≥ 0.15.0, < 0.15.1 | ≥ 0.14.0, < 0.14.5 | ≥ 0.13.0, < 0.13.10 | ≥ 0.12.0, < 0.12.14 | ≥ 0.11.0, < 0.11.13

  • suserancher

    ≥ 0.15.0, < 0.15.1 | ≥ 0.14.0, < 0.14.5 | ≥ 0.13.0, < 0.13.10 | ≥ 0.12.0, < 0.12.14 | ≥ 0.11.0, < 0.11.13

References (4)