CVE-2026-44935 CRITICAL

CVE-2026-44935: Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer

Vendor Suse
Product Rancher
Weakness CWE-1287
Published July 2, 2026
Last update July 2, 2026

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants.

Key dates

02Disclosure timeline

July 2, 2026 CVE published
July 2, 2026 Record updated

Related vulnerabilities

04Related CVE