Skip to main content

Rancher Fleet CVE-2026-44937

| EUVDEUVD-2026-41867 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-07-01 https://github.com/rancher/fleet GHSA-jmf4-m7j9-g72r
8.3
CVSS 4.0 · Vendor: https://github.com/rancher/fleet
Share

Severity by source

Vendor (https://github.com/rancher/fleet) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable and unauthenticated because the vulnerable config omits the webhook secret (PR:N), but AC:H reflects regex-crafting/path-knowledge preconditions; main impact is availability DoS (A:H) with limited integrity from downgrade (I:L) and no confidentiality loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/rancher/fleet).

CVSS VectorVendor: https://github.com/rancher/fleet

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jul 06, 2026 - 11:31 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 06, 2026 - 11:31 vuln.today
Analysis Updated
Jul 06, 2026 - 11:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 11:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 11:22 NVD
7.5 (HIGH) 8.3 (HIGH)
Analysis Generated
Jul 01, 2026 - 21:15 vuln.today

DescriptionCVE.org

Impact

A vulnerability has been identified in Fleet when the webhook endpoint is configured without a secret; an attacker can forge webhook requests. The attacker doesn't need to know the specific repository or path configured in the GitRepo resource to make Fleet process these requests.

An attacker can exploit this vulnerability to cause the following impacts:

  1. Trigger continuous repository re-cloning, which increases network traffic and can deplete resources on the management cluster.
  2. Downgrade running services to any historical revision available in the remote Git repository. This risk applies if the attacker has read access to the target Git repository and knows its configured path.

Please consult the associated MITRE ATT&CK - Technique - T1499.004: Endpoint Denial of Service for further information about this category of attack.

Patches

To resolve this vulnerability, upgrade Fleet to a patched version. This upgrade version escapes the URL and path to the remote repository received from webhooks, which prevents regular expressions from being used as a replacement for the URL and path.

Patched versions of Fleet include releases v0.15.2, v0.14.6, 0.13.11, and v0.12.15.

Workarounds

If you can't upgrade to a fixed version, please make sure to only enable webhooks with a shared secret.

Credits

This security issue was reported by the following collaborators according to our responsible disclosure policy:

  • Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).

References

If you have any questions or comments about this advisory:

AnalysisAI

Unauthenticated webhook request forgery in Rancher Fleet (GitOps controller for Kubernetes) lets remote attackers manipulate GitRepo processing when the webhook endpoint is configured without a shared secret. Because the repository URL and path received from webhooks are used unsanitized as a regex replacement (CWE-345), an attacker who does not know the configured repository can force continuous re-cloning to exhaust management-cluster resources (DoS), and - if they have read access to the target Git repo and know its path - can downgrade running workloads to any historical revision. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach secret-less Fleet webhook endpoint
Delivery
Forge webhook with crafted URL/path payload
Exploit
Regex injection matches GitRepo resources
Execution
Fleet re-processes forged request
Persist
Flood triggers continuous re-cloning / revision downgrade
Impact
Management-cluster resource exhaustion or service downgrade

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Fleet webhook endpoint is enabled and configured WITHOUT a shared secret - this specific misconfiguration is the core prerequisite (the vendor workaround of requiring a secret fully blocks the attack). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score is 8.3 (High) with vector AV:N/AC:H/AT:P/PR:N/UI:N and impact VC:N/VI:L/VA:H - network-reachable and unauthenticated (PR:N) but with high attack complexity and a present attack requirement (AC:H/AT:P), reflecting that meaningful abuse (especially the service-downgrade path) depends on preconditions such as read access to the target repo and knowledge of its path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an internet-exposed Fleet webhook endpoint that was enabled without a shared secret sends forged webhook requests; the unsanitized URL/path is used as a regex, so Fleet matches and re-processes GitRepo resources without the attacker knowing their exact identifiers. Repeated forged requests trigger continuous repository re-cloning that saturates network and compute on the management cluster (DoS), and - given read access to the target Git repo and its path - the attacker downgrades a running service to an older, potentially vulnerable revision. …
Remediation Upgrade Fleet to the fixed release for your line - Vendor-released patch: v0.15.2, v0.14.6, 0.13.11, or v0.12.15 - which escapes the URL and path received from webhooks so attacker-supplied values can no longer act as regular-expression replacements. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Rancher Fleet deployments to identify webhook endpoints and verify shared-secret authentication is enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy