CVE-2026-41050 CRITICAL

CVE-2026-41050: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

Vendor Suse

Product Rancher

Weakness CWE-863 · Incorrect authorization

Published May 13, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

9.9/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.

Key dates

02Disclosure timeline

May 13, 2026 CVE published

May 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41050

Related vulnerabilities

Identifiers

CVE CVE-2026-41050

CWE CWE-863

CVSS 9.9 / CRITICAL

Affected versions

Vendor Suse

Product Rancher

Affected ≥ 0.15.0 and < 0.15.1

Vendor Suse

Product Rancher

Affected ≥ 0.14.0 and < 0.14.5

Vendor Suse

Product Rancher

Affected ≥ 0.13.0 and < 0.13.10

Vendor Suse

Product Rancher

Affected ≥ 0.12.0 and < 0.12.14

Vendor Suse

Product Rancher

Affected ≥ 0.11.0 and < 0.11.13

CVE-2026-41050: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

01Description

02Disclosure timeline

03References

04Related CVE