Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated because the vulnerable config omits the webhook secret (PR:N), but AC:H reflects regex-crafting/path-knowledge preconditions; main impact is availability DoS (A:H) with limited integrity from downgrade (I:L) and no confidentiality loss.
Primary rating from Vendor (https://github.com/rancher/fleet).
CVSS VectorVendor: https://github.com/rancher/fleet
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Impact
A vulnerability has been identified in Fleet when the webhook endpoint is configured without a secret; an attacker can forge webhook requests. The attacker doesn't need to know the specific repository or path configured in the GitRepo resource to make Fleet process these requests.
An attacker can exploit this vulnerability to cause the following impacts:
- Trigger continuous repository re-cloning, which increases network traffic and can deplete resources on the management cluster.
- Downgrade running services to any historical revision available in the remote Git repository. This risk applies if the attacker has read access to the target Git repository and knows its configured path.
Please consult the associated MITRE ATT&CK - Technique - T1499.004: Endpoint Denial of Service for further information about this category of attack.
Patches
To resolve this vulnerability, upgrade Fleet to a patched version. This upgrade version escapes the URL and path to the remote repository received from webhooks, which prevents regular expressions from being used as a replacement for the URL and path.
Patched versions of Fleet include releases v0.15.2, v0.14.6, 0.13.11, and v0.12.15.
Workarounds
If you can't upgrade to a fixed version, please make sure to only enable webhooks with a shared secret.
Credits
This security issue was reported by the following collaborators according to our responsible disclosure policy:
- Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).
References
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
AnalysisAI
Unauthenticated webhook request forgery in Rancher Fleet (GitOps controller for Kubernetes) lets remote attackers manipulate GitRepo processing when the webhook endpoint is configured without a shared secret. Because the repository URL and path received from webhooks are used unsanitized as a regex replacement (CWE-345), an attacker who does not know the configured repository can force continuous re-cloning to exhaust management-cluster resources (DoS), and - if they have read access to the target Git repo and know its path - can downgrade running workloads to any historical revision. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Fleet webhook endpoint is enabled and configured WITHOUT a shared secret - this specific misconfiguration is the core prerequisite (the vendor workaround of requiring a secret fully blocks the attack). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 8.3 (High) with vector AV:N/AC:H/AT:P/PR:N/UI:N and impact VC:N/VI:L/VA:H - network-reachable and unauthenticated (PR:N) but with high attack complexity and a present attack requirement (AC:H/AT:P), reflecting that meaningful abuse (especially the service-downgrade path) depends on preconditions such as read access to the target repo and knowledge of its path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an internet-exposed Fleet webhook endpoint that was enabled without a shared secret sends forged webhook requests; the unsanitized URL/path is used as a regex, so Fleet matches and re-processes GitRepo resources without the attacker knowing their exact identifiers. Repeated forged requests trigger continuous repository re-cloning that saturates network and compute on the management cluster (DoS), and - given read access to the target Git repo and its path - the attacker downgrades a running service to an older, potentially vulnerable revision. … |
| Remediation | Upgrade Fleet to the fixed release for your line - Vendor-released patch: v0.15.2, v0.14.6, 0.13.11, or v0.12.15 - which escapes the URL and path received from webhooks so attacker-supplied values can no longer act as regular-expression replacements. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Rancher Fleet deployments to identify webhook endpoints and verify shared-secret authentication is enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41867
GHSA-jmf4-m7j9-g72r