Go modules package
github.com/rancher/fleet
pkg:golang/github.com/rancher/fleet
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41050 | Cri | 9.9 | >= 0.15.0, < 0.15.1 | 0.15.1 | May 13, 2026 | Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`. | |
| CVE-2024-52284 | Hig | 7.7 | >= 0.13.0, < 0.13.1-0.20250806151509-088bcbea7edb | 0.13.1-0.20250806151509-088bcbea7edb | Sep 2, 2025 | Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets. | |
| CVE-2025-23390 | med | — | >= 0.9.0-rc.1, < 0.10.12 | 0.10.12 | Apr 25, 2025 | ### Impact A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the `known_hosts` file. This could allow the execution of a man-in-the-middle (M |
- affected >= 0.15.0, < 0.15.1fixed 0.15.1
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.
- affected >= 0.13.0, < 0.13.1-0.20250806151509-088bcbea7edbfixed 0.13.1-0.20250806151509-088bcbea7edb
Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets.
- affected >= 0.9.0-rc.1, < 0.10.12fixed 0.10.12
### Impact A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the `known_hosts` file. This could allow the execution of a man-in-the-middle (M