CVE-2026-44938
Awaiting Analysis
Awaiting Analysis - Queue
Pod Security Bypass via Fleet Agent Deployer
Vulnerability report for CVE-2026-44938, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-07
Last updated on: 2026-07-07
Assigner: SUSE
Description
Description
A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) when applying them to the target namespace.
An attacker with git push access to a
Fleet-monitored repository could overwrite Pod Security Standards (PSS)
enforcement labels on a target namespace. This allows the attacker to
weaken admission controls and deploy workloads that PSS policies would
otherwise block.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fleet | fleet | From 0.12.0 (inc) to 0.12.15 (exc) |
| fleet | fleet | From 0.13.0 (inc) to 0.13.11 (exc) |
| fleet | fleet | From 0.14.0 (inc) to 0.14.6 (exc) |
| fleet | fleet | From 0.15.0 (inc) to 0.15.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |