Critical Vulnerability in Rancher Fleet Enables Full Cluster-Admin Privileges - gbhackers.com
gbhackers.comArchived Jun 02, 2026✓ Full text saved
Critical Vulnerability in Rancher Fleet Enables Full Cluster-Admin Privileges gbhackers.com
Full text archived locally
✦ AI Summary· Claude Sonnet
CVE/vulnerabilityCyber Security News
2 min.Read
Critical Vulnerability in Rancher Fleet Enables Full Cluster-Admin Privileges
By Divya
May 8, 2026
Share
Facebook
Twitter
Pinterest
WhatsApp
The SUSE Rancher Security team disclosed a critical vulnerability tracked as CVE-2026-41050. This severe flaw affects Rancher Fleet, a popular GitOps tool for managing Kubernetes clusters at scale.
The vulnerability completely breaks the platform’s core multi-tenant isolation mechanism, allowing malicious users to bypass security boundaries and steal sensitive data.
According to an analysis by Lyrie Threat Intelligence, the flaw effectively turns the Helm deployer into a secret-harvesting machine, putting shared environments at immediate risk of privilege escalation.
Vulnerability in Rancher Fleet
The vulnerability exists because Fleet’s Helm deployer fails to enforce ServiceAccount impersonation across deployment pipelines. This oversight creates two distinct pathways for attackers to elevate their privileges to full cluster-admin status.
Attack scenario:
apiVersion: fleet.cattle.io/v1alpha1
kind: GitRepo
metadata:
name: tenant-chart
namespace: tenant-ns
spec:
repo: https://github.com/tenant/malicious-chart
helm:
values:
adminToken: "{{ lookup('v1', 'Secret', 'kube-system', 'admin-secret').data.token }}"
The first bypass involves the Helm lookup function. When a tenant writes a Helm chart template that queries Kubernetes resources using this function, FleetFleet executes the command with the highly privileged fleet-agent credentials rather than the restricted tenant account.
If an attacker has basic “git push” access to a monitored repository, they can deploy a malicious chart that secretly extracts admin tokens from any namespace across all downstream clusters.
The second bypass occurs within the FleetFleet.yaml configuration file. When this file references a Secret or ConfigMap using the valuesFrom directive, the system reads the data again with cluster-admin privileges.
Attackers can easily craft a configuration file that targets credentials outside their restricted environment. Because these unauthorized secret reads appear to be normal workload operations, standard security tools cannot easily distinguish between legitimate commands and active exploitation.
Affected Rancher Fleet Versions
This flaw poses a significant risk to shared DevOps environments and Kubernetes-as-a-Service platforms. If a stolen credential belongs to an external service, such as an AWS IAM role, attackers can use it to move laterally across your entire corporate infrastructure.
Rancher Fleet versions earlier than 0.11.13, 0.12.14, 0.13.10, and 0.14.5 are vulnerable.
Rancher 2.10.11 and older are affected and require a manual Fleet upgrade.
Rancher 2.11.x, 2.12.x, and 2.13.x are affected until upgraded to 2.11.13, 2.12.9, and 2.13.5.
Rancher 2.14.0 is affected until upgraded to 2.14.1.
The vulnerability impacts Rancher Fleet versions before 0.11.13, 0.12.14, 0.13.10, and 0.14.5. For users running full Rancher deployments, affected versions include Rancher 2.10.11 and older, which require a manual Fleet upgrade.
Rancher branches 2.11.x through 2.13.x are also vulnerable unless updated to versions 2.11.13, 2.12.9, or 2.13.5 respectively. Additionally, Rancher 2.14.0 is impacted and requires an immediate update to version 2.14.1.
Patching is the ultimate fix, but security teams must take immediate autonomous action to secure their clusters while updates are staged.
First, you should identify all vulnerable Rancher versions across your network and immediately disable Fleet-monitored repositories for any untrusted tenants.
Next, audit your Git repositories for malicious activity. Search for Helm charts that use the lookup function in their templates and inspect all FleetFleet.yaml files for cross-namespace valuesFrom references.
If you discover these unauthorized lookups, assume a breach has occurred and rotate any secrets accessed from privileged areas, such as the kube-system namespace. Finally, enable strict audit logging on your Kubernetes API server to capture all future secret reads from tenant-controlled pods.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Tags
cyber security
Cyber Security News
Vulnerability
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.
Hot this week
Infosec- Resources
How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities
June 4, 2023
1
What is Deep Web The deep web, invisible web, or...
SOC Architecture
How to Build and Run a Security Operations Center (SOC Guide) – 2023
June 3, 2023
12
Today’s Cyber security operations center (CSOC) should have everything...
Cyber Security News
Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component
October 18, 2023
0
TeamViewer's popularity and remote access capabilities make it an...
Checklist
Web Server Penetration Testing Checklist – 2026
January 6, 2026
0
Web server pentesting is performed under three significant categories: identity,...
Infosec- Resources
ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities
June 4, 2023
4
ATM Penetration testing, Hackers have found different approaches to...
Topics
AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore
API
Stolen Gemini API Keys Fuel Automated Telegram Influence Campaign
0
A long-running Telegram influence and fraud campaign where a...
CVE/vulnerability
Critical KMW CCTV Flaw Allows Unauthorised Access to Surveillance Feeds
0
A critical security vulnerability in KMW CCTV security cameras...
cyber security
Foreign Spyware Found on Phones of Top Russian Officials
0
Russian authorities have disclosed a suspected large-scale cyber espionage...
cyber security
Mustang Panda Uses LNK, PowerShell Chain to Deploy PlugX RAT
0
Mustang Panda is using a fake “Browser Updater” and...
CVE/vulnerability
Claude Code GitHub Actions Flaw Exposes Repositories to Full Compromise
0
A critical supply chain vulnerability in Anthropic’s Claude Code...
CVE/vulnerability
CISA Warns of Active Exploitation of Palo Alto Networks PAN-OS Vulnerability
0
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has...
CVE/vulnerability
CISA Issues Alert on Oracle WebLogic Server Flaw Under Active Exploitation
0
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has...
Android
Android Zero-Day Vulnerability Actively Exploited in Device Takeover Attacks
0
Google has disclosed a critical Android zero-day vulnerability that...
Related Articles
Stolen Gemini API Keys Fuel Automated Telegram Influence Campaign
API June 2, 2026
Critical KMW CCTV Flaw Allows Unauthorised Access to Surveillance Feeds
CVE/vulnerability June 2, 2026
Foreign Spyware Found on Phones of Top Russian Officials
cyber security June 2, 2026
Mustang Panda Uses LNK, PowerShell Chain to Deploy PlugX RAT
cyber security June 2, 2026
Claude Code GitHub Actions Flaw Exposes Repositories to Full Compromise
CVE/vulnerability June 2, 2026
Recent News
Stolen Gemini API Keys Fuel Automated Telegram Influence Campaign
Mayura Kathir - June 2, 2026
Critical KMW CCTV Flaw Allows Unauthorised Access to Surveillance Feeds
Divya - June 2, 2026
Foreign Spyware Found on Phones of Top Russian Officials
Mayura Kathir - June 2, 2026
Mustang Panda Uses LNK, PowerShell Chain to Deploy PlugX RAT
Mayura Kathir - June 2, 2026
Claude Code GitHub Actions Flaw Exposes Repositories to Full Compromise
Divya - June 2, 2026
CISA Warns of Active Exploitation of Palo Alto Networks PAN-OS Vulnerability
Divya - June 2, 2026