Critical 9.9 CVSS Rancher Fleet Flaw Grants Full Cluster-Admin Access

The SUSE Rancher Security team has issued a high-priority advisory regarding a pair of vulnerabilities in Fleet, the GitOps engine designed to manage Kubernetes clusters at massive scale. Tracked as CVE-2026-41050 with a critical CVSS score of 9.9, the flaw allows a tenant with limited access to break out of their isolation and gain full cluster-administrator privileges.

While Fleet is lightweight enough for single-cluster use, it is built to handle thousands of teams and clusters simultaneously—a scale that makes this breakdown of multi-tenant boundaries particularly dangerous.

Fleet’s security model relies on ServiceAccount impersonation to ensure that users can only access the resources they are authorized to manage. However, researchers discovered two specific code paths where this impersonation was not fully applied by the Helm deployer.

According to the security advisory, “Fleet’s Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo”.

The vulnerability manifests in two distinct bypasses:

• The Helm Lookup Bypass: When a Helm template engine runs Kubernetes API queries, it erroneously uses the fleet-agent’s cluster-admin credentials rather than the restricted credentials of the user.
• The valuesFrom Bypass: When a fleet.yaml file references secrets or ConfigMaps via helm.valuesFrom, those resources are read using the high-privilege cluster-admin client.

In a multi-tenant environment, this flaw allows a single tenant to reach across the aisle and “read secrets from any namespace” on any downstream cluster they target. Because these leaked secrets can belong to external services, the full impact of the breach is often non-deterministic and could lead to a total compromise of connected cloud infrastructure.

The Rancher team notes that single-tenant deployments—where all users are already trusted with full access—are not affected by this specific vulnerability.

The security team has resolved the issue by ensuring that the Helm action configuration consistently uses the impersonated ServiceAccount credentials. Users should upgrade to the following versions of Rancher immediately:

• v2.14.1, v2.13.5, v2.12.9, and v2.11.13.
• Users on Rancher v2.10.11 must manually update their Fleet deployment to version 0.11.13.

The advisory explicitly warns that “no workaround fully mitigates the issue for multi-tenant deployments” and that patches must be applied as soon as possible.

To reduce the attack surface in the interim, administrators can:

• Restrict Git Access: Limit git push access to Fleet-monitored repositories to only highly trusted users.
• Apply GitRepoRestriction: Use restriction resources to limit which ServiceAccounts a specific namespace can use.
• Audit Templates: Manually scan deployed chart templates for lookup calls and fleet.yaml files for cross-namespace valuesFrom references.