CVE-2026-44938
EUVD-2026-4203907.07.2026, 14:16
A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) when applying them to the target namespace. An attacker with git push access to a Fleet-monitored repository could overwrite Pod Security Standards (PSS) enforcement labels on a target namespace. This allows the attacker to weaken admission controls and deploy workloads that PSS policies would otherwise block.Enginsight
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| suse | rancher | 0.15.0 ≤ 𝑥 < 0.15.2 | CNA |
| suse | rancher | 0.14.0 ≤ 𝑥 < 0.14.6 | CNA |
| suse | rancher | 0.13.0 ≤ 𝑥 < 0.13.11 | CNA |
| suse | rancher | 0.12.0 ≤ 𝑥 < 0.12.15 | CNA |
Common Weakness Enumeration
Vulnerability Media Exposure