Description
Missing filtering when the helmRepoURLRegex field isn't set on a GitRepo resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials (BasicAuth) to any URL specified in the helm.repo field of a fleet.yaml file, allowing attackers able to push to fleet monitored git repos to leak helm access credentials.
Published: 2026-07-06
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in SUSE Rancher Fleet’s bundle reader, where the helmRepoURLRegex field was left unset on a GitRepo resource. This omission allows an attacker who can push to the fleet‑monitored Git repository to supply an arbitrary URL in the helm.repo field of a fleet.yaml file. As a result, the BasicAuth credentials used to authenticate to the Helm chart repository are forwarded to the attacker‑controlled URL, leading to the leaking This flaw does not enable code execution; its primary danger lies in the exposure of privileged credentials that could be used to access or modify Helm repositories or other protected resources.

Affected Systems

SUSE Rancher Fleet is affected in the following major releases: version 0.15.0 up to 0.15.1, 0.14.0 up to 0.14.5, 0.13.0 up to 0.13.10, and 0.12.0 up to 0.12.14. All earlier versions are also impacted by this defect.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity, and the EPSS score of less than 1% points to a low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Exploitation requires an attacker to have write access to a fleet‑managed Git repository; once this condition is met, the attacker can insert a fleet.yaml containing a malicious helm.repo URL, causing the system to transmit its BasicAuth credentials to the attacker’s endpoint. No direct impact on confidentiality of the fleet data itself is indicated, but the credential leak could enable further privilege escalation in downstream systems.

Generated by OpenCVE AI on July 6, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Rancher Fleet release that addresses this issue – upgrade to version 0.15.2 or later, later, 0.13.11 or later, or 0.12.15 or later, depending on the current version in use.
  • Limit write permission on monitored Git repositories to only trusted users, preventing unauthorized modifications to fleet.yaml files.
  • Monitor outgoing network traffic and audit Helm credential usage to detect any anomalous connections to external URLs that could indicate credential exfiltration.

Generated by OpenCVE AI on July 6, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hx4v-cxpf-vh8m Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml
History

Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Suse
Suse rancher
Vendors & Products Suse
Suse rancher

Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description Missing filtering when the helmRepoURLRegex field isn't set on a GitRepo resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials (BasicAuth) to any URL specified in the helm.repo field of a fleet.yaml file, allowing attackers able to push to fleet monitored git repos to leak helm access credentials.
Title Rancher Fleet SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-07-06T12:47:45.102Z

Reserved: 2026-05-08T12:29:48.967Z

Link: CVE-2026-44936

cve-icon Vulnrichment

Updated: 2026-07-06T12:47:41.781Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:15:16Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)