CVE-2026-41050 – Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

CVE ID :CVE-2026-41050

Published : May 13, 2026, 8:04 a.m. | 56 minutes ago

Description :Fleet’s Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.

Severity: 9.9 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-25705 – Rancher Extensions have arbitrary file access via path traversal

CVE-2026-3004 – Snow Monkey Blocks

CVE-2025-14767 – WPC Badge Management for WooCommerce

CVE-2026-44612 – Bytello Share (Windows Edition) DLL Loading Vulnerability (Remote Code Execution)