SUSE Rancher Fleet 0.15+ CrossTenant Credential Leak via valuesFrom
CVE-2026-44935 Published on July 2, 2026
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants.
Vulnerability Analysis
CVE-2026-44935 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Products Associated with CVE-2026-44935
Want to know whenever a new CVE is published for Suse Rancher? stack.watch will email you.
Affected Versions
SUSE Rancher:- Version 0.15.0 and below 0.15.2 is affected.
- Version 0.14.0 and below 0.14.6 is affected.
- Version 0.13.0 and below 0.13.11 is affected.
- Version 0.12.0 and below 0.12.15 is affected.