CVE-2026-44948
Received Received - Intake

Path Traversal in Rancher Fleet ImageScan

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: SUSE

Description
A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-44948
EUVD
EUVD-2026-40348

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
rancher fleet to 0.12.16 (exc)
rancher fleet to 0.13.12 (exc)
rancher fleet to 0.14.7 (exc)
rancher fleet to 0.15.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal issue found in Fleet's ImageScan subsystem, specifically in the GitRepo path handler. It occurs because the Fleet controller processes paths specified in gitrepo.Spec.Paths without verifying that these paths remain within the cloned repository directory.

An authenticated user with permission to create or modify GitRepo resources in a Fleet-managed namespace can exploit this by supplying path-traversal sequences (like ../etc) in the spec.paths. This causes the ImageScan controller to access directories outside the intended workspace, leading to resource exhaustion and denial of service.

Impact Analysis

Exploiting this vulnerability can cause a denial of service by exhausting system resources and blocking all other ImageScan operations across all tenants. This happens because the ImageScan controller holds a global mutex while recursively walking directories outside the intended repository workspace.

The attacker must have Kubernetes RBAC permission to create or modify GitRepo resources, so the impact is limited to users with such permissions. However, once exploited, it can disrupt the availability of ImageScan services for all users.

Detection Guidance

This vulnerability involves a path traversal in Fleet's ImageScan subsystem triggered by processing malicious GitRepo paths. Detection involves checking for unusual or unauthorized modifications or creations of GitRepo resources in Fleet-managed namespaces, especially those containing path-traversal sequences like '../'.

Since the attacker must have Kubernetes RBAC permission to create or modify GitRepo resources, you can audit Kubernetes API server logs or use kubectl commands to list GitRepo resources and inspect their spec.paths fields for suspicious entries.

  • Use kubectl to list GitRepo resources in Fleet-managed namespaces: kubectl get gitrepo -n <namespace> -o yaml
  • Inspect the spec.paths fields for path traversal sequences (e.g., '../etc'): kubectl get gitrepo -n <namespace> -o jsonpath='{.items[*].spec.paths}'
  • Audit Kubernetes API server logs for creation or modification of GitRepo resources with suspicious paths.

Additionally, monitoring for denial of service symptoms related to ImageScan operations being blocked or resource exhaustion on the Fleet controller may indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include applying patches and configuration changes to prevent exploitation of the path traversal vulnerability in Fleet's ImageScan subsystem.

  • Upgrade Fleet to a patched version: v0.15.3, v0.14.7, v0.13.12, or v0.12.16 or later.
  • If upgrading is not immediately possible and you are using Fleet v0.15 or later, disable the ImageScan controller by setting imagescan.enabled=false in the Helm chart.
  • Restrict Kubernetes RBAC permissions to prevent unauthorized users from creating or modifying GitRepo resources in Fleet-managed namespaces.

These steps will prevent attackers from exploiting the vulnerability by limiting their ability to supply malicious paths and stopping the vulnerable ImageScan processing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart