CVE-2026-41050 PUBLISHED

Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

Assigner: suse
Reserved: 16.04.2026 Published: 13.05.2026 Updated: 14.05.2026

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SUSE
Product	Rancher
Versions	Default: unaffected affected from 0.15.0 to 0.15.1 (excl.) affected from 0.14.0 to 0.14.5 (excl.) affected from 0.13.0 to 0.13.10 (excl.) affected from 0.12.0 to 0.12.14 (excl.) affected from 0.11.0 to 0.11.13 (excl.)

CVE-2026-41050 PUBLISHED

Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

Metrics

Product Status

Credits

References

Problem Types