379 matches found
CVE-2026-44938
A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace. An attacker with git push access to a Fleet-monitored...
CVE-2026-44935
Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants...
CVE-2026-44935
The vulnerability (CVE-2026-44935) affects SUSE Rancher Fleet’s Helm Deployer where missing validation of valuesFrom references enables cross-tenant access to fleet credentials stored in secrets/config maps on downstream clusters. Affected versions include Fleet 0.15.x before 0.15.2, 0.14.x befor...
CVE-2026-44935 Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants...
CVE-2026-44935
Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants...
CVE-2026-44935 Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants...
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Impact A vulnerability in Fleet for Rancher Manager affects multi-tenancy environments where different tenants share the same downstream clusters e.g., different privileged or untrusted teams inside the same organization. On unpatched versions, tenants could bypass restrictions to access any conf...
GHSA-XR65-5CPM-G36X Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Impact A vulnerability in Fleet for Rancher Manager affects multi-tenancy environments where different tenants share the same downstream clusters e.g., different privileged or untrusted teams inside the same organization. On unpatched versions, tenants could bypass restrictions to access any conf...
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent
Impact A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace. An attacker with git push access to a...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the addLabelsFromOptions function. An attacker can overwrite security-sensitive namespace labels by pushing changes to a monitored repository, thereby weakening admission controls and enabling...
MAL-2026-6491 Malicious code in hexo-deployer-wrangler (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb The package ships a binding.gyp file line 6 containing GYP command-expansion syntax !... inside the targets/sources fields. npm implicitly runs...
Malicious code in @mastra/deployer-netlify (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2fc319f7f95075b9eb23f3c1dbde016dd6f4a23add16bf96a3449149d316d571 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-6017 Malicious code in @mastra/deployer-netlify (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2fc319f7f95075b9eb23f3c1dbde016dd6f4a23add16bf96a3449149d316d571 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-6016 Malicious code in @mastra/deployer-cloudflare (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 134b341a4308b5afd16ffa8eaf1c28befc1ebbd10303579f674eba8c480ba0b0 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
Malicious code in @mastra/deployer-vercel (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51c995bee89c27de9fc067df60d17baac74e4fec7f1682bc606694bb6f09848c The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-6018 Malicious code in @mastra/deployer-vercel (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51c995bee89c27de9fc067df60d17baac74e4fec7f1682bc606694bb6f09848c The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
Malicious code in @mastra/deployer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ada3444d44067bbe5085e0892f7885b106c016c114676c2601b15bbb52ce4a4 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-6015 Malicious code in @mastra/deployer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ada3444d44067bbe5085e0892f7885b106c016c114676c2601b15bbb52ce4a4 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
Improper Authorization
Fleet is vulnerable to Improper Authorization. The vulnerability is due to incomplete application of ServiceAccount impersonation in certain Helm deployer code paths, which allows an attacker with git push access to read secrets from arbitrary namespaces on downstream clusters...
CVE-2026-41050
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...