Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Requires authenticated git push (PR:L) over the network; overwriting namespace PSS labels affects other components' security (S:C) and enables integrity/availability impact, with low direct confidentiality effect.
Primary rating from Vendor (https://github.com/rancher/fleet).
CVSS VectorVendor: https://github.com/rancher/fleet
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Impact
A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) when applying them to the target namespace.
An attacker with git push access to a Fleet-monitored repository could overwrite Pod Security Standards (PSS) enforcement labels on a target namespace. This allows the attacker to weaken admission controls and deploy workloads that PSS policies would otherwise block.
Important: The final impact on confidentiality, integrity, and availability depends on the specific permissions of the leaked credentials.
Fleet team recommends you:
- Review your system for potentially leaked credentials.
- Replace any credentials that may be compromised.
Please consult the associated MITRE ATT&CK - Technique - Disable or Modify Tools for further information about this category of attack.
Patches
To fix this issue, upgrade to a patched version. The updated Fleet deployer filters out labels with the pod-security.kubernetes.io/ prefix when applying namespaceLabels to a namespace. This change preserves the PSS labels set by cluster administrators and prevents them from being overwritten through fleet.yaml or BundleDeployment options.
Patched versions of Fleet include releases v0.15.2, v0.14.6, v0.13.11, and v0.12.15.
Workarounds
If you can’t immediately upgrade to a patched version, use one of the following workarounds:
1 - Deploy NeuVector(primary workaround)
Deploy NeuVector (SUSE Security) and configure an admission control Deny rule for "Run as privileged" in Protect mode.
- NeuVector evaluates pod specs independently of Kubernetes PSS namespace labels. It blocks privileged containers even if the labels are downgraded.
- Although the namespace labels are still overwritten, the attack cannot exploit confidentiality, integrity, or availability without a privileged pod.
2 - Restrict repository access (secondary workaround)
Note: The following measure reduces the attack surface but does not close the vulnerability:
- In a multi-tenant setup, this restriction removes the primary attack vector. However, this measure only reduces the attack surface and doesn't completely close the vulnerability. It may also not be operationally viable for all organizations. ´
Credits
This security issue was reported by the following collaborators according to our responsible disclosure policy:
- Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).
References
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
AnalysisAI
Privilege-escalation via admission-control bypass in Rancher Fleet allows an attacker with git push access to a Fleet-monitored repository to overwrite Pod Security Standards (PSS) enforcement labels on target namespaces. Because Fleet's agent-side deployer failed to filter security-sensitive keys (notably the pod-security.kubernetes.io/ prefix) from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels, an attacker can downgrade namespace admission enforcement and deploy privileged or otherwise restricted workloads that PSS would normally block. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires write (git push) access to a repository that Fleet is configured to monitor, and a target namespace whose security posture is governed by Kubernetes Pod Security Admission labels (`pod-security.kubernetes.io/enforce` etc.) set by administrators. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The assigned CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 8.8 High) reflects a network-reachable, low-complexity attack requiring some privilege (git push access), yielding high C/I/A - but that CIA impact is explicitly conditional: the advisory states final impact depends on the permissions of workloads the attacker can then deploy, so the H/H/H rating represents a worst-case downstream outcome rather than a direct guaranteed effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | In a multi-tenant Rancher/Fleet environment, a tenant developer with git push access to a Fleet-monitored repository edits `fleet.yaml` to set `namespaceLabels` including `pod-security.kubernetes.io/enforce: privileged` on a target namespace. Fleet's unpatched agent applies these labels, silently downgrading Pod Security Admission enforcement, after which the attacker commits a manifest deploying a privileged pod (e.g., hostPath mount or hostPID) that PSS would previously have rejected - enabling node-level compromise or lateral movement. … |
| Remediation | Vendor-released patch: upgrade Fleet to v0.15.2, v0.14.6, v0.13.11, or v0.12.15 (whichever matches your minor branch); the patched deployer filters out labels carrying the `pod-security.kubernetes.io/` prefix so cluster-administrator-set PSS labels can no longer be overwritten via `fleet.yaml` or `BundleDeployment` options - see GHSA-864g-863m-vcvq. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit git push access permissions to all Fleet-monitored repositories; review recent commit history for modifications to namespaceLabels containing pod-security.kubernetes.io/* prefixes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42039
GHSA-864g-863m-vcvq