CVE-2026-44935
CRITICALRancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Title source: cnaDescription
Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://github.com/rancher/fleet/security/advisories/GHSA-xr65-5cpm-g36x
Scores
CVSS v3
9.9
EPSS
0.0059
EPSS Percentile
43.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1287
Status
published
Products (5)
SUSE/Rancher
0.12.0 - 0.12.15
SUSE/Rancher
0.13.0 - 0.13.11
SUSE/Rancher
0.14.0 - 0.14.6
SUSE/Rancher
0.15.0 - 0.15.2
suse/rancher_fleet
0.12.0 - 0.12.15
Published
Jul 02, 2026
Tracked Since
Jul 02, 2026