VYPR
Critical severity9.9GHSA Advisory· Published May 13, 2026· Updated May 13, 2026

CVE-2026-41050

CVE-2026-41050

Description

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/rancher/fleetGo
>= 0.15.0, < 0.15.10.15.1
github.com/rancher/fleetGo
>= 0.14.0, < 0.14.50.14.5
github.com/rancher/fleetGo
>= 0.13.0, < 0.13.100.13.10
github.com/rancher/fleetGo
>= 0.12.0, < 0.12.140.12.14
github.com/rancher/fleetGo
>= 0.11.0, < 0.11.130.11.13

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.