CVE-2026-44938: Fleet Agent Deployer NamespaceLabel Injection
CVE-2026-44938 Published on July 7, 2026
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent
A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) when applying them to the target namespace.
An attacker with git push access to a
Fleet-monitored repository could overwrite Pod Security Standards (PSS)
enforcement labels on a target namespace. This allows the attacker to
weaken admission controls and deploy workloads that PSS policies would
otherwise block.
Vulnerability Analysis
CVE-2026-44938 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Products Associated with CVE-2026-44938
Want to know whenever a new CVE is published for Suse Rancher? stack.watch will email you.
Affected Versions
SUSE Rancher:- Version 0.15.0 and below 0.15.2 is affected.
- Version 0.14.0 and below 0.14.6 is affected.
- Version 0.13.0 and below 0.13.11 is affected.
- Version 0.12.0 and below 0.12.15 is affected.