Threat Advisory

Fleet Vulnerability Allows Cross‐Tenant Secret Disclosure

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Fleet GitOps platform, affecting all releases prior to the latest updates. The flaws span cross‑namespace secret disclosure, server‑side request forgery, unauthenticated webhook abuse, and admission‑control bypass, each undermining tenant isolation, data confidentiality, and workload integrity. Exploitation can enable malicious tenants to exfiltrate secrets, hijack repository credentials, cause resource exhaustion, and deploy privileged containers that evade policy enforcement. The combined risk threatens the confidentiality, availability, and integrity of multi‑tenant Kubernetes environments, potentially leading to data breaches, lateral movement, and service disruption.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Fleet GitOps platform, affecting all releases prior to the latest updates. The flaws span cross‑namespace secret disclosure, server‑side request forgery, unauthenticated webhook abuse, and admission‑control bypass, each undermining tenant isolation, data confidentiality, and workload integrity. Exploitation can enable malicious tenants to exfiltrate secrets, hijack repository credentials, cause resource exhaustion, and deploy privileged containers that evade policy enforcement. The combined risk threatens the confidentiality, availability, and integrity of multi‑tenant Kubernetes environments, potentially leading to data breaches, lateral movement, and service disruption.[emaillocker id="1283"]

  • CVE-2026-44935 with a CVSS score of 9.9 – A cross‑namespace secret disclosure allows a malicious tenant to read any ConfigMap or Secret across all namespaces and to create cluster‑wide resources via Helm without admin approval.
  • CVE-2026-44936 – A Server‑Side Request Forgery in the bundle reader lets an attacker with repository write rights inject a malicious URL, causing the system to forward internal repository credentials to an external server.
  • CVE-2026-44937 – An unauthenticated webhook flaw enables a remote actor to trigger repository re‑cloning or force roll‑backs, leading to resource exhaustion and potential denial‑of‑service.
  • CVE-2026-44938 – An admission‑control bypass permits an attacker with write permission to overwrite namespace security labels, allowing privileged workloads that would normally be blocked.

The aggregated vulnerabilities present an urgent threat to enterprises relying on shared Kubernetes clusters, as exploitation could compromise sensitive data, disrupt operations, and erode trust in the platform’s isolation guarantees. Immediate attention from senior leadership is advised to mitigate potential business impact.

RECOMMENDATION:

  • We recommend you to update Fleet to version v0.15.2 or v0.14.6 or v0.13.11 or v0.12.15.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/fleet-security-vulnerabilities-kubernetes/

[/emaillocker]
crossmenu