Critical severity9.9GHSA Advisory· Published May 13, 2026· Updated May 13, 2026
CVE-2026-41050
CVE-2026-41050
Description
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/fleetGo | >= 0.15.0, < 0.15.1 | 0.15.1 |
github.com/rancher/fleetGo | >= 0.14.0, < 0.14.5 | 0.14.5 |
github.com/rancher/fleetGo | >= 0.13.0, < 0.13.10 | 0.13.10 |
github.com/rancher/fleetGo | >= 0.12.0, < 0.12.14 | 0.12.14 |
github.com/rancher/fleetGo | >= 0.11.0, < 0.11.13 | 0.11.13 |
Affected products
2Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.