CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 02, 2026

Critical Vulnerability in Rancher Fleet Enables Full Cluster-Admin Privileges - gbhackers.com

gbhackers.com Archived Jun 02, 2026 ✓ Full text saved

Critical Vulnerability in Rancher Fleet Enables Full Cluster-Admin Privileges gbhackers.com

Full text archived locally
✦ AI Summary · Claude Sonnet


    CVE/vulnerabilityCyber Security News 2 min.Read Critical Vulnerability in Rancher Fleet Enables Full Cluster-Admin Privileges By Divya May 8, 2026 Share Facebook Twitter Pinterest WhatsApp The SUSE Rancher Security team disclosed a critical vulnerability tracked as CVE-2026-41050. This severe flaw affects Rancher Fleet, a popular GitOps tool for managing Kubernetes clusters at scale. The vulnerability completely breaks the platform’s core multi-tenant isolation mechanism, allowing malicious users to bypass security boundaries and steal sensitive data. According to an analysis by Lyrie Threat Intelligence, the flaw effectively turns the Helm deployer into a secret-harvesting machine, putting shared environments at immediate risk of privilege escalation. Vulnerability in Rancher Fleet The vulnerability exists because Fleet’s Helm deployer fails to enforce ServiceAccount impersonation across deployment pipelines. This oversight creates two distinct pathways for attackers to elevate their privileges to full cluster-admin status. Attack scenario: apiVersion: fleet.cattle.io/v1alpha1 kind: GitRepo metadata: name: tenant-chart namespace: tenant-ns spec: repo: https://github.com/tenant/malicious-chart helm: values: adminToken: "{{ lookup('v1', 'Secret', 'kube-system', 'admin-secret').data.token }}" The first bypass involves the Helm lookup function. When a tenant writes a Helm chart template that queries Kubernetes resources using this function, FleetFleet executes the command with the highly privileged fleet-agent credentials rather than the restricted tenant account. If an attacker has basic “git push” access to a monitored repository, they can deploy a malicious chart that secretly extracts admin tokens from any namespace across all downstream clusters. The second bypass occurs within the FleetFleet.yaml configuration file. When this file references a Secret or ConfigMap using the valuesFrom directive, the system reads the data again with cluster-admin privileges. Attackers can easily craft a configuration file that targets credentials outside their restricted environment. Because these unauthorized secret reads appear to be normal workload operations, standard security tools cannot easily distinguish between legitimate commands and active exploitation. Affected Rancher Fleet Versions This flaw poses a significant risk to shared DevOps environments and Kubernetes-as-a-Service platforms. If a stolen credential belongs to an external service, such as an AWS IAM role, attackers can use it to move laterally across your entire corporate infrastructure. Rancher Fleet versions earlier than 0.11.13, 0.12.14, 0.13.10, and 0.14.5 are vulnerable. Rancher 2.10.11 and older are affected and require a manual Fleet upgrade. Rancher 2.11.x, 2.12.x, and 2.13.x are affected until upgraded to 2.11.13, 2.12.9, and 2.13.5. Rancher 2.14.0 is affected until upgraded to 2.14.1. The vulnerability impacts Rancher Fleet versions before 0.11.13, 0.12.14, 0.13.10, and 0.14.5. For users running full Rancher deployments, affected versions include Rancher 2.10.11 and older, which require a manual Fleet upgrade. Rancher branches 2.11.x through 2.13.x are also vulnerable unless updated to versions 2.11.13, 2.12.9, or 2.13.5 respectively. Additionally, Rancher 2.14.0 is impacted and requires an immediate update to version 2.14.1. Patching is the ultimate fix, but security teams must take immediate autonomous action to secure their clusters while updates are staged. First, you should identify all vulnerable Rancher versions across your network and immediately disable Fleet-monitored repositories for any untrusted tenants. Next, audit your Git repositories for malicious activity. Search for Helm charts that use the lookup function in their templates and inspect all FleetFleet.yaml files for cross-namespace valuesFrom references. If you discover these unauthorized lookups, assume a breach has occurred and rotate any secrets accessed from privileged areas, such as the kube-system namespace. Finally, enable strict audit logging on your Kubernetes API server to capture all future secret reads from tenant-controlled pods. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. Tags cyber security Cyber Security News Vulnerability Divya Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Infosec- Resources ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities June 4, 2023 4 ATM Penetration testing, Hackers have found different approaches to... Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore API Stolen Gemini API Keys Fuel Automated Telegram Influence Campaign 0 A long-running Telegram influence and fraud campaign where a... CVE/vulnerability Critical KMW CCTV Flaw Allows Unauthorised Access to Surveillance Feeds 0 A critical security vulnerability in KMW CCTV security cameras... cyber security Foreign Spyware Found on Phones of Top Russian Officials 0 Russian authorities have disclosed a suspected large-scale cyber espionage... cyber security Mustang Panda Uses LNK, PowerShell Chain to Deploy PlugX RAT 0 Mustang Panda is using a fake “Browser Updater” and... CVE/vulnerability Claude Code GitHub Actions Flaw Exposes Repositories to Full Compromise 0 A critical supply chain vulnerability in Anthropic’s Claude Code... CVE/vulnerability CISA Warns of Active Exploitation of Palo Alto Networks PAN-OS Vulnerability 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has... CVE/vulnerability CISA Issues Alert on Oracle WebLogic Server Flaw Under Active Exploitation 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has... Android Android Zero-Day Vulnerability Actively Exploited in Device Takeover Attacks 0 Google has disclosed a critical Android zero-day vulnerability that... Related Articles Stolen Gemini API Keys Fuel Automated Telegram Influence Campaign API June 2, 2026 Critical KMW CCTV Flaw Allows Unauthorised Access to Surveillance Feeds CVE/vulnerability June 2, 2026 Foreign Spyware Found on Phones of Top Russian Officials cyber security June 2, 2026 Mustang Panda Uses LNK, PowerShell Chain to Deploy PlugX RAT cyber security June 2, 2026 Claude Code GitHub Actions Flaw Exposes Repositories to Full Compromise CVE/vulnerability June 2, 2026 Recent News Stolen Gemini API Keys Fuel Automated Telegram Influence Campaign Mayura Kathir - June 2, 2026 Critical KMW CCTV Flaw Allows Unauthorised Access to Surveillance Feeds Divya - June 2, 2026 Foreign Spyware Found on Phones of Top Russian Officials Mayura Kathir - June 2, 2026 Mustang Panda Uses LNK, PowerShell Chain to Deploy PlugX RAT Mayura Kathir - June 2, 2026 Claude Code GitHub Actions Flaw Exposes Repositories to Full Compromise Divya - June 2, 2026 CISA Warns of Active Exploitation of Palo Alto Networks PAN-OS Vulnerability Divya - June 2, 2026
    💬 Team Notes
    Article Info
    Source
    gbhackers.com
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 02, 2026
    Archived
    Jun 02, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗