Home

Description

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.

PUBLISHED Reserved 2026-04-16 | Published 2026-05-13 | Updated 2026-05-14 | Assigner suse




CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-863: Incorrect Authorization

Product status

Default status
unaffected

0.15.0 (semver) before 0.15.1
affected

0.14.0 (semver) before 0.14.5
affected

0.13.0 (semver) before 0.13.10
affected

0.12.0 (semver) before 0.12.14
affected

0.11.0 (semver) before 0.11.13
affected

Credits

https://github.com/kodareef5 finder

References

bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41050

github.com/advisories/GHSA-765j-qfrp-hm3j

cve.org (CVE-2026-41050)

nvd.nist.gov (CVE-2026-41050)

Download JSON