CVE-2026-44949 – Unauthenticated namespace creation and RBAC injection via rancher-webhook FleetWorkspace mutating webhook

CVE ID :CVE-2026-44949

Published : June 30, 2026, 2:41 p.m. | 1 hour, 4 minutes ago

Description :A Rancher FleetWorkspace admission path allowed side effects to occur in
the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to
the in-cluster rancher-webhook service
could submit a crafted admission payload and cause workspace-related
Kubernetes objects to be created with attacker-chosen identity data.

Severity: 7.0 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…