CVE-2026-41050 Overview
CVE-2026-41050 is a broken access control vulnerability in Rancher Fleet's Helm deployer. The deployer fails to apply ServiceAccount impersonation in two code paths. A tenant with git push access to a Fleet-monitored repository can read secrets from any namespace on every downstream cluster targeted by their GitRepo. The flaw is classified as [CWE-863: Incorrect Authorization].
Critical Impact
A low-privileged tenant with git push rights can exfiltrate Kubernetes secrets across all namespaces on downstream clusters reachable through their GitRepo, enabling lateral movement and credential theft across multi-tenant Fleet deployments.
Affected Products
- Rancher Fleet (Helm deployer component)
- SUSE Rancher distributions bundling vulnerable Fleet versions
- Kubernetes clusters managed as Fleet downstream targets
Discovery Timeline
- 2026-05-13 - CVE CVE-2026-41050 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41050
Vulnerability Analysis
Fleet is a GitOps-based continuous delivery system that synchronizes Kubernetes manifests and Helm charts from git repositories to downstream clusters. Fleet supports multi-tenancy by tying each GitRepo to a tenant ServiceAccount whose permissions constrain what the deployer can read and apply on downstream clusters.
The Helm deployer is expected to perform every Kubernetes API call using impersonation headers tied to the tenant ServiceAccount. In two code paths within the deployer, impersonation is not applied. Those API calls execute with the privileges of the Fleet agent itself, which holds broad cluster-wide read access.
The authorization gap allows a tenant to push manifests or chart values that cause the deployer to read arbitrary Secret objects across every namespace on each targeted downstream cluster. Because the call runs as the agent rather than the tenant ServiceAccount, RoleBinding restrictions intended to scope the tenant are bypassed.
Root Cause
The root cause is incomplete enforcement of ServiceAccount impersonation in the Helm deployer. Two execution paths construct Kubernetes API clients without injecting the tenant impersonation configuration, defaulting to the agent's own credentials.
Attack Vector
An attacker requires git push access to any repository registered as a Fleet GitRepo. The attacker commits a crafted Helm chart or bundle that causes the deployer to enter one of the vulnerable code paths. On reconciliation, the agent reads secrets from arbitrary namespaces and returns or logs their contents, allowing exfiltration through deployment status, rendered manifests, or downstream resources controlled by the attacker. Refer to the GitHub Security Advisory GHSA-765j-qfrp-hm3j for code-level detail.
Detection Methods for CVE-2026-41050
Indicators of Compromise
- Fleet agent audit log entries showing get or list operations on Secret resources across namespaces unrelated to the tenant's GitRepo target.
- Unexpected commits to Fleet-monitored repositories that introduce Helm templates referencing Secret objects in foreign namespaces.
- Deployed resources on downstream clusters whose content mirrors secret data from other tenants' namespaces.
Detection Strategies
- Enable Kubernetes API server audit logging on downstream clusters and alert when the Fleet agent ServiceAccount reads secrets outside namespaces owned by the originating GitRepo.
- Correlate git commit metadata for Fleet-monitored repositories with downstream secret access events to identify tenants triggering anomalous reads.
- Baseline normal Fleet deployer API call patterns and flag deviations such as missing Impersonate-User headers on secret read operations.
Monitoring Recommendations
- Forward Kubernetes audit logs and Fleet controller logs to a centralized analytics platform for cross-cluster correlation.
- Monitor GitRepo and Bundle resource changes for additions of Helm value overrides or templates that reference cross-namespace secrets.
- Track ServiceAccount token usage on each downstream cluster and alert when the Fleet agent account reads secrets at a rate exceeding established baselines.
How to Mitigate CVE-2026-41050
Immediate Actions Required
- Upgrade Fleet to the fixed version identified in the GitHub Security Advisory GHSA-765j-qfrp-hm3j.
- Audit git push permissions on every repository registered as a Fleet GitRepo and revoke access for untrusted users.
- Rotate any Kubernetes secrets that may have been exposed on downstream clusters reachable by tenant GitRepo definitions.
Patch Information
Apply the upstream Fleet release that restores ServiceAccount impersonation across all Helm deployer code paths. Consult the SUSE Bugzilla entry for CVE-2026-41050 for the distribution-specific fixed package versions and the GitHub Security Advisory GHSA-765j-qfrp-hm3j for upstream release identifiers.
Workarounds
- Restrict the Fleet agent ServiceAccount on downstream clusters to the minimum namespaces and verbs required, removing cluster-wide secret read permissions where feasible.
- Disable or remove Fleet GitRepo objects that point to repositories accessible by low-trust tenants until the patch is applied.
- Enforce branch protection and required reviews on Fleet-monitored repositories to prevent unilateral push of malicious chart content.
# Configuration example: scope the Fleet agent ServiceAccount on a downstream cluster
kubectl -n cattle-fleet-system get clusterrolebinding fleet-agent -o yaml
# Replace cluster-wide secret read access with namespace-scoped RoleBindings
kubectl create rolebinding fleet-agent-scoped \
--clusterrole=view \
--serviceaccount=cattle-fleet-system:fleet-agent \
--namespace=tenant-a
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
