CVE-2026-44935 PUBLISHED

Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer

Assigner: suse
Reserved: 08.05.2026 Published: 02.07.2026 Updated: 03.07.2026

Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Product Status

Vendor SUSE
Product Rancher
Versions Default: unaffected
  • affected from 0.15.0 to 0.15.2 (excl.)
  • affected from 0.14.0 to 0.14.6 (excl.)
  • affected from 0.13.0 to 0.13.11 (excl.)
  • affected from 0.12.0 to 0.12.15 (excl.)

References

Problem Types

  • CWE-1287 Improper validation of specified type of input CWE