9.9
CVE-2026-41050
- EPSS 0.04%
- Veröffentlicht 13.05.2026 08:04:57
- Zuletzt bearbeitet 13.05.2026 15:35:35
- Quelle meissner@suse.de
- CVE-Watchlists
- Unerledigt
Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerSUSE
≫
Produkt
Rancher
Default Statusunaffected
Version
0.15.0
Version <
0.15.1
Status
affected
Version
0.14.0
Version <
0.14.5
Status
affected
Version
0.13.0
Version <
0.13.10
Status
affected
Version
0.12.0
Version <
0.12.14
Status
affected
Version
0.11.0
Version <
0.11.13
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.117 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| meissner@suse.de | 9.9 | 3.1 | 6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.