Skip to content

Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

Critical severity GitHub Reviewed Published Apr 30, 2026 in rancher/fleet • Updated May 7, 2026

Package

gomod github.com/rancher/fleet (Go)

Affected versions

>= 0.15.0, < 0.15.1
>= 0.14.0, < 0.14.5
>= 0.13.0, < 0.13.10
>= 0.12.0, < 0.12.14
>= 0.11.0, < 0.11.13

Patched versions

0.15.1
0.14.5
0.13.10
0.12.14
0.11.13

Description

Impact

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo.

Helm lookup bypass: The Helm template engine ran Kubernetes API queries with the fleet-agent's cluster-admin credentials instead of the impersonated ServiceAccount. A chart template could therefore access resources beyond the tenant's RBAC scope.

valuesFrom bypass: Secret and ConfigMap references in fleet.yaml helm.valuesFrom were read using the fleet-agent's cluster-admin client. A tenant could reference resources in namespaces the impersonated ServiceAccount has no access to.
Both issues break Fleet's multi-tenant impersonation boundary. The leaked credentials may belong to external services, making the full impact non-deterministic.
Single-tenant deployments where all users are trusted are not affected.

Important:

  • For the exposure of additional credentials, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services.
  • It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.

Please consult the associated MITRE ATT&CK - Technique - Account Access Removal for further information about this category of attack.

Patches

Both issues are fixed by ensuring the Helm action configuration consistently uses the impersonated ServiceAccount credentials throughout all Helm operations.

Patched versions of Rancher include releases v2.14.1, v2.13.5, v2.12.9, and v2.11.13. For Rancher v2.10.11, users must manually update their Fleet deployment to versionv0.11.13.

Workarounds

No workaround fully mitigates the issue for multi-tenant deployments. The patches should be applied as soon as they are available.

The following measures reduce the attack surface but do not close either vulnerability:

  • Restrict git push access to Fleet-monitored repositories to trusted users only. In a multi-tenant setup this removes the precondition entirely, but is often not operationally viable.
  • Use GitRepoRestriction resources to limit which ServiceAccounts each namespace is allowed to use, restricting the set of users who can configure impersonation at all.
  • Audit deployed chart templates for lookup calls and fleet.yaml files for cross-namespace valuesFrom references as a detective control.

Resources

If there are any questions or comments about this advisory:

References

@samjustus samjustus published to rancher/fleet Apr 30, 2026
Published to the GitHub Advisory Database May 7, 2026
Reviewed May 7, 2026
Last updated May 7, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS score

Weaknesses

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

CVE-2026-41050

GHSA ID

GHSA-765j-qfrp-hm3j

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.