JustAppSec
CRITICAL SeverityCVSS 3.19.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2026-41050

Last updated May 13, 2026 · Published May 13, 2026

← Back to list

Description

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.

Affected products

1 listed
  • SUSE:Rancher

Mappings

CWE

CWE-863

CAPEC

None listed.

CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms

Need help?Get in touch.