CVE-2026-44936
Received Received - Intake

Improper Helm Auth Credential Handling in SUSE Rancher Fleet

Vulnerability report for CVE-2026-44936, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: SUSE

Description

Missing filtering when the helmRepoURLRegex field isn't set on a GitRepo resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials (BasicAuth) to any URL specified in the helm.repo field of a fleet.yaml file, allowing attackers able to push to fleet monitored git repos to leak helm access credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
suse rancher_fleet From 0.15.0 (inc) to 0.15.2 (exc)
suse rancher_fleet From 0.14.0 (inc) to 0.14.6 (exc)
suse rancher_fleet From 0.13.0 (inc) to 0.13.11 (exc)
suse rancher_fleet From 0.12.0 (inc) to 0.12.15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44936 is a Server-Side Request Forgery (SSRF) vulnerability in SUSE Rancher Fleet's Bundle Reader component. It occurs when the helmRepoURLRegex field is not set on a GitRepo resource. This causes the system to forward Helm authentication credentials (BasicAuth) to any URL specified in the helm.repo field of a fleet.yaml file.

An attacker who has the ability to push changes to Fleet-monitored git repositories can exploit this by specifying a malicious URL in the helm.repo field. This causes the Fleet controller to send the configured Helm repository credentials to the attacker's server, potentially leaking sensitive access credentials.

The vulnerability affects multiple versions of Fleet before certain patched releases and is fixed by requiring the helmRepoURLRegex field to restrict credential forwarding only to trusted Helm repository URLs.

Impact Analysis

This vulnerability can lead to the leakage of Helm authentication credentials (BasicAuth) to an attacker-controlled URL. If an attacker can push to a Fleet-monitored git repository, they can set a malicious URL in the helm.repo field, causing the system to send sensitive credentials to the attacker.

The impact is primarily the unauthorized disclosure of Helm repository credentials, which could allow attackers to access or manipulate Helm charts and deployments that rely on those credentials.

The CVSS score of 5.0 (Moderate) reflects the potential for credential leakage without direct impact on system integrity or availability, but it still poses a significant security risk.

Detection Guidance

This vulnerability can be detected by reviewing your Fleet-monitored Git repositories for the presence of the `helm.repo` field in `fleet.yaml` files that may contain untrusted URLs. Additionally, checking if the `helmRepoURLRegex` field is unset on GitRepo resources is crucial, as this allows forwarding of Helm credentials to any URL.

You can inspect your GitRepo resources in your Rancher Fleet setup to identify if `helmRepoURLRegex` is missing or improperly set.

Suggested commands to detect potential exposure include:

  • Use `kubectl` to list GitRepo resources and check for the `helmRepoURLRegex` field:
  • kubectl get gitrepos -A -o json | jq '.items[] | {name: .metadata.name, namespace: .metadata.namespace, helmRepoURLRegex: .spec.helmRepoURLRegex, helmSecretName: .spec.helmSecretName}'
  • Search your Fleet-monitored Git repositories for `helm.repo` entries that point to suspicious or untrusted URLs.
  • Monitor network traffic for unexpected outbound requests from the Fleet controller to unknown URLs, which may indicate credential forwarding.
Mitigation Strategies

Immediate mitigation steps include upgrading Rancher Fleet to a patched version where this vulnerability is fixed (Fleet versions 0.15.2, 0.14.6, 0.13.11, or 0.12.15 and later).

After upgrading, ensure that the `helmRepoURLRegex` field is set on all GitRepo resources that use `helmSecretName` or `helmSecretNameForPaths` to restrict credential forwarding only to trusted Helm repository URLs.

Review any auto-migrated GitRepo resources to verify that the derived regex accurately limits credential forwarding to legitimate origins.

As a workaround before upgrading, manually set the `helmRepoURLRegex` field on all relevant GitRepo resources to match only legitimate Helm repository URLs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44936. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart