75 matches found
CVE-2026-44938
A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace. An attacker with git push access to a Fleet-monitored...
CVE-2026-44938
CVE-2026-44938 affects Fleet’s agent-side deployer, which did not filter security‑sensitive keys from namespaceLabels when applying them to a target namespace. An attacker with git push access to a Fleet-monitored repo could overwrite Pod Security Standards (PSS) enforcement labels, weakening adm...
CVE-2026-46680
A flaw was found in containerd, an open-source container runtime. Containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. This vulnerability allows a crafted container image to bypass the Kubernetes runAsNonRoot restrictio...
GHSA-VX8H-4PRV-G744 Rancher has Privilege Escalation from Project Owner to Host
Impact A vulnerability has been identified in Rancher Manager that allows users assigned the Project Owner role to modify Pod Security Admission PSA labels on namespaces within their projects. Under the default role configuration, an attacker with the following access pattern can exploit this...
Rancher has Privilege Escalation from Project Owner to Host
Impact A vulnerability has been identified in Rancher Manager that allows users assigned the Project Owner role to modify Pod Security Admission PSA labels on namespaces within their projects. Under the default role configuration, an attacker with the following access pattern can exploit this...
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent
Impact A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace. An attacker with git push access to a...
GHSA-864G-863M-VCVQ Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent
Impact A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace. An attacker with git push access to a...
PT-2026-54763
Name of the Vulnerable Software and Affected Versions Rancher Fleet affected versions not specified Description An authentication bypass exists in the webhook component. Additionally, a Pod Security Standard PSS bypass can be achieved through the manipulation of namespace labels. Recommendations ...
CVE-2026-44947
CVE-2026-44947 describes a missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher, affecting versions 2.13.0–2.13.7 and 2.14.0–2.14.3. The issue allows users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those per...
CVE-2026-42296
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...
CVE-2026-42296
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...
CVE-2026-42296
Argo Workflows CVE-2026-42296 describes a bypass for templateReferencing: Strict that lets users with create Workflow access obtain host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. Root ca...
CVE-2026-42296 Argo Workflows has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...
CVE-2026-42296
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...
EUVD-2026-28894
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...
Argo Workflows 安全漏洞
Argo Workflows is an open-source container-native workflow engine for Kubernetes, part of the Argo project. Versions prior to Argo Workflows 3.7.14 and 4.0.5 contained security vulnerabilities. These vulnerabilities stemmed from users with permission to create Workflows being able to bypass the...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the JoinWorkflowSpec process. An attacker can gain unauthorized access to host networking, override service account assignments, modify pod security contexts, add tolerations, or enable service account token...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the JoinWorkflowSpec process. An attacker can gain unauthorized access to host networking, override service account assignments, modify pod security contexts, add tolerations, or enable service account token...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the JoinWorkflowSpec process. An attacker can gain unauthorized access to host networking, override service account assignments, modify pod security contexts, add tolerations, or enable service account token...
Important: Red Hat Security Advisory: Red Hat OpenShift GitOps v1.19.3 security update
Important: Red Hat OpenShift GitOps v1.19.3 security update An update is now available for Red Hat OpenShift GitOps. Bug Fixes and Enhancements: GITOPS-9158 OpenShift Gitops Operator v1.19.2 has hardcoded pod-security labels which conflict OCP = 4.16 GITOPS-9587 multiple CVEs in ose-kube-rbac-pro...