Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-44935— Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer

CVSS 9.9 · Critical EPSS 0.57% · P43

Possible ATT&CK Techniques 1AI

T1078 · Valid Accounts

Affected Version Matrix 4

VendorProductVersion RangeStatus
SUSERancher0.15.0< 0.15.2affected
0.14.0< 0.14.6affected
0.13.0< 0.13.11affected
0.12.0< 0.12.15affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-44935

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Source: NVD (National Vulnerability Database)
Vulnerability Description
Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1287
Source: NVD (National Vulnerability Database)
Vulnerability Title
SUSE rancher 软件供应链问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SUSE rancher是德国SUSE公司开源的一套容器管理平台。 SUSE rancher存在软件供应链问题漏洞,该漏洞源于Helm Deployer中“valuesFrom”引用验证缺失,可能导致一个租户的所有者访问其他租户的fleet凭据。以下版本受到影响:0.15.2版本之前的0.15.x版本、0.14.6版本之前的0.14.x版本、0.13.11版本之前的0.13.x版本和0.12.15版本之前的0.12.x版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
SUSERancher 0.15.0 ~ 0.15.2 -

II. Public POCs for CVE-2026-44935

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8833 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-44935

登录查看更多情报信息。

Vendor Advisories for CVE-2026-44935 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-44935

No comments yet


Leave a comment