CVE-2026-41050
critical
CVSS v3
9.9
CVSS v2
—
VIR risk
9.9
Description
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
Predictions
Exploit likelihood
98%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/rancher/fleet | >=0.15.0,<0.15.1 | 0.15.1 |
| Go | github.com/rancher/fleet | >=0.14.0,<0.14.5 | 0.14.5 |
| Go | github.com/rancher/fleet | >=0.13.0,<0.13.10 | 0.13.10 |
| Go | github.com/rancher/fleet | >=0.12.0,<0.12.14 | 0.12.14 |
| Go | github.com/rancher/fleet | >=0.11.0,<0.11.13 | 0.11.13 |
| GO | github.com/rancher/fleet | >= 0.11.0, < 0.11.13 | 0.11.13 |
| GO | github.com/rancher/fleet | >= 0.12.0, < 0.12.14 | 0.12.14 |
| GO | github.com/rancher/fleet | >= 0.13.0, < 0.13.10 | 0.13.10 |
| GO | github.com/rancher/fleet | >= 0.14.0, < 0.14.5 | 0.14.5 |
| GO | github.com/rancher/fleet | >= 0.15.0, < 0.15.1 | 0.15.1 |
References
CWEs
CWE-863
Verify integrity in audit chain (admin only). AS-IS.