Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN472
_____________________________________________________________________

DATE                : 07/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running fleet (Go) versions prior to
                      0.15.1, 0.14.5, 0.13.10, 0.12.14, 0.11.13.

=====================================================================
https://github.com/advisories/GHSA-765j-qfrp-hm3j
_____________________________________________________________________


Fleet: Helm impersonation bypass of `RESTClientGetter` retains
`cluster-admin` during template rendering

Critical severity GitHub Reviewed Published Apr 30, 2026 in
rancher/fleet • Updated May 7, 2026

Vulnerability details

Package
github.com/rancher/fleet (Go)

Affected versions
>= 0.15.0, < 0.15.1
>= 0.14.0, < 0.14.5
>= 0.13.0, < 0.13.10
>= 0.12.0, < 0.12.14
>= 0.11.0, < 0.11.13

Patched versions
0.15.1
0.14.5
0.13.10
0.12.14
0.11.13

Description

Impact

Fleet's Helm deployer did not fully apply ServiceAccount impersonation
in two code paths, allowing a tenant with git push access to a
Fleet-monitored repository to read secrets from any namespace on every
downstream cluster targeted by their GitRepo.

Helm lookup bypass: The Helm template engine ran Kubernetes API queries
with the fleet-agent's cluster-admin credentials instead of the
impersonated ServiceAccount. A chart template could therefore access
resources beyond the tenant's RBAC scope.

valuesFrom bypass: Secret and ConfigMap references in fleet.yaml
helm.valuesFrom were read using the fleet-agent's cluster-admin
client. A tenant could reference resources in namespaces the
impersonated ServiceAccount has no access to.
Both issues break Fleet's multi-tenant impersonation boundary. The
leaked credentials may belong to external services, making the full
impact non-deterministic.
Single-tenant deployments where all users are trusted are not
affected.

Important:

    For the exposure of additional credentials, the final impact
severity for confidentiality, integrity and availability is
dependent on the permissions the leaked credentials have on
their services.

    It is recommended to review for potentially leaked credentials
in this scenario and to change them if deemed necessary.

Please consult the associated MITRE ATT&CK - Technique - Account
Access Removal for further information about this category of
attack.


Patches

Both issues are fixed by ensuring the Helm action configuration
consistently uses the impersonated ServiceAccount credentials
throughout all Helm operations.

Patched versions of Rancher include releases v2.14.1, v2.13.5,
v2.12.9, and v2.11.13. For Rancher v2.10.11, users must manually
update their Fleet deployment to versionv0.11.13.


Workarounds

No workaround fully mitigates the issue for multi-tenant
deployments. The patches should be applied as soon as
they are available.

The following measures reduce the attack surface but do
not close either vulnerability:

    Restrict git push access to Fleet-monitored
repositories to trusted users only. In a multi-tenant
setup this removes the precondition entirely, but is
often not operationally viable.
    Use GitRepoRestriction resources to limit which
ServiceAccounts each namespace is allowed to use,
restricting the set of users who can configure
impersonation at all.
    Audit deployed chart templates for lookup calls
and fleet.yaml files for cross-namespace valuesFrom
references as a detective control.

Resources

If there are any questions or comments about this
advisory:

    Reach out to the SUSE Rancher Security team for
security related inquiries.
    Open an issue in the Rancher repository.
    Verify using the support matrix and product
support lifecycle.

References

    GHSA-765j-qfrp-hm3j


Severity
Critical
9.9/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS score

Weaknesses
Weakness CWE-863

CVE ID
CVE-2026-41050

GHSA ID
GHSA-765j-qfrp-hm3j

Source code
rancher/fleet

Credits

    @kodareef5 kodareef5 Reporter

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================