high · 8.8CVE-2026-44938Jul 1, 2026

CVE-2026-44938: Rancher Fleet Pod Security Standards Bypass via namespaceLabels

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

Anyone with git push access to a Fleet-monitored repository could silently downgrade the Pod Security Standards level on a Kubernetes namespace, letting them deploy privileged or otherwise restricted

Packagegithub.com/rancher/fleet
Ecosystemgo
Affected>= 0.15.0, < 0.15.2
Fixed in0.15.2

The problem

Fleet's agent-side deployer applied every label from `namespaceLabels` in `fleet.yaml` (or `BundleDeployment.spec.options.namespaceLabels`) directly to the target namespace on every reconcile loop, with no filtering.

Because Pod Security Standards are enforced entirely through namespace labels prefixed `pod-security.kubernetes.io/`, an attacker who controls a git push could set those labels to `privileged`, silently overwriting whatever a cluster administrator had configured.

The change takes effect on the next Fleet sync without any cluster-level RBAC required beyond repository write access.

Proof of concept

A working proof-of-concept for CVE-2026-44938 in github.com/rancher/fleet, with the exact payload below.

yaml
# fleet.yaml committed to attacker-controlled (or compromised) git repository
namespaceLabels:
  pod-security.kubernetes.io/enforce: privileged
  pod-security.kubernetes.io/enforce-version: latest
  pod-security.kubernetes.io/audit: privileged
  pod-security.kubernetes.io/warn: privileged

# After Fleet syncs, deploy a privileged workload that PSS would have blocked:
---
apiVersion: v1
kind: Pod
metadata:
  name: pwned
  namespace: target-namespace
spec:
  containers:
  - name: shell
    image: alpine
    securityContext:
      privileged: true

The root cause (CWE-522, Insufficiently Protected Credentials / admission control bypass) is that `addLabelsFromOptions` iterated the caller-supplied label map and applied it verbatim with no denylist or prefix filter.

Kubernetes PSS enforcement is label-driven: the API server reads `pod-security.kubernetes.io/enforce` on the namespace at admission time. Overwriting that label to `privileged` is sufficient to remove all restrictions, no cluster-admin rights needed.

The patch adds a prefix filter that silently drops any key beginning with `pod-security.kubernetes.io/` before the label map is applied to the namespace, preserving whatever the cluster administrator set.

The fix

Upgrade Fleet to v0.15.2 (or v0.14.6, v0.13.11, v0.12.15 for older release trains). The patched deployer filters out all `namespaceLabels` keys starting with the `pod-security.kubernetes.io/` prefix before applying them to the namespace, so git-controlled bundles can no longer downgrade PSS enforcement.

If upgrading immediately is not possible, deploy NeuVector in Protect mode with a Deny rule for privileged containers as a compensating control.

Reported by Radisauskas Arnoldas (NATO / NATO Cyber Security Centre).

References: [1][2]

Related research