CVE-2026-44938
Awaiting Analysis Awaiting Analysis - Queue

Pod Security Bypass via Fleet Agent Deployer

Vulnerability report for CVE-2026-44938, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: SUSE

Description

A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) when applying them to the target namespace. An attacker with git push access to a Fleet-monitored repository could overwrite Pod Security Standards (PSS) enforcement labels on a target namespace. This allows the attacker to weaken admission controls and deploy workloads that PSS policies would otherwise block.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
fleet fleet From 0.12.0 (inc) to 0.12.15 (exc)
fleet fleet From 0.13.0 (inc) to 0.13.11 (exc)
fleet fleet From 0.14.0 (inc) to 0.14.6 (exc)
fleet fleet From 0.15.0 (inc) to 0.15.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44938 is a high-severity vulnerability in Fleet's agent-side deployer that allows an attacker to bypass Pod Security Standards (PSS) enforcement.

The issue occurs because Fleet does not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace.

An attacker with git push access to a Fleet-monitored repository can overwrite PSS enforcement labels on a target namespace, weakening admission controls.

This enables the attacker to deploy workloads that PSS policies would normally block.

Impact Analysis

This vulnerability can have serious impacts by allowing an attacker to weaken security controls in a Kubernetes environment managed by Fleet.

By overwriting Pod Security Standards enforcement labels, the attacker can deploy workloads that would otherwise be blocked, potentially leading to the deployment of privileged or insecure containers.

This could result in unauthorized access, privilege escalation, or leaks of sensitive credentials depending on the permissions involved.

Detection Guidance

Detection of this vulnerability involves checking if the Pod Security Standards (PSS) enforcement labels on your Kubernetes namespaces have been overwritten by unauthorized labels from Fleet deployments.

You can inspect the labels on your namespaces to see if any labels with the prefix `pod-security.kubernetes.io/` have been modified or added unexpectedly.

A suggested command to check namespace labels is:

  • kubectl get namespace <namespace-name> -o jsonpath='{.metadata.labels}'

Compare the labels against expected PSS enforcement labels to detect any unauthorized changes.

Additionally, review the git commit history of Fleet-monitored repositories for any suspicious changes to `fleet.yaml` or `BundleDeployment.spec.options.namespaceLabels` that include security-sensitive keys.

Mitigation Strategies

Immediate mitigation steps include upgrading Fleet to a patched version that filters out labels with the `pod-security.kubernetes.io/` prefix.

  • Upgrade to Fleet versions 0.15.2, 0.14.6, 0.13.11, or 0.12.15 or later.

If upgrading is not immediately possible, consider deploying NeuVector with an admission control rule to block privileged containers as a workaround.

  • Deploy NeuVector admission control to block privileged containers.

Also, restrict git push access to Fleet-monitored repositories, especially in multi-tenant environments, to reduce the risk of an attacker exploiting this vulnerability, although this does not fully close the vulnerability.

  • Restrict repository access to trusted users only.
Compliance Impact

This vulnerability allows an attacker to weaken Pod Security Standards (PSS) enforcement by overwriting security-sensitive labels on namespaces, potentially enabling the deployment of unauthorized workloads.

Such a bypass of security controls could lead to unauthorized access or deployment of workloads that might leak credentials or sensitive data.

Consequently, this could impact compliance with standards and regulations like GDPR or HIPAA, which require strict controls over data access and protection, by increasing the risk of unauthorized data exposure or processing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart