Vulnerability in Fleet Agent-Side Deployer Affects Security Control on Target Namespace
CVE-2026-44938
8.8HIGH
What is CVE-2026-44938?
A vulnerability has been discovered in Fleet's agent-side deployer that fails to properly filter security-sensitive keys from namespaceLabels within the fleet.yaml configuration file. This oversight allows an attacker with git push access to a Fleet-monitored repository to overwrite important Pod Security Standards (PSS) enforcement labels in the target namespace. Consequently, the attacker can reduce the effectiveness of admission controls, facilitating the deployment of workloads that PSS policies would typically prevent.
Affected Version(s)
Rancher 0.15.0 < 0.15.2
Rancher 0.14.0 < 0.14.6
Rancher 0.13.0 < 0.13.11