VYPR

Go modules package

github.com/rancher/fleet

pkg:golang/github.com/rancher/fleet

Vulnerabilities (3)

  • CVE-2026-41050CriMay 13, 2026
    affected >= 0.15.0, < 0.15.1fixed 0.15.1

    Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.

  • CVE-2024-52284HigSep 2, 2025
    affected >= 0.13.0, < 0.13.1-0.20250806151509-088bcbea7edbfixed 0.13.1-0.20250806151509-088bcbea7edb

    Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets.

  • CVE-2025-23390medApr 25, 2025
    affected >= 0.9.0-rc.1, < 0.10.12fixed 0.10.12

    ### Impact A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the `known_hosts` file. This could allow the execution of a man-in-the-middle (M