A critical authorization vulnerability in Rancher Fleet allows tenants to read unauthorized secrets from any namespace in a downstream cluster.

Fleet’s Helm deployer fails to fully apply ServiceAccount impersonation in specific code paths. This allows a tenant with git push access to read secrets from any namespace on target downstream clusters.

The CVSS score of 9.9 indicates a massive risk to Kubernetes cluster security. Unauthorized access to secrets can lead to the exposure of credentials, API keys, and sensitive configuration data, effectively granting the attacker control over the entire cluster environment.

Immediate Action: Update the Fleet controller and agent components to the latest version recommended by Rancher.

Proactive Monitoring: Review Kubernetes audit logs for suspicious get requests on secrets resources by unauthorized ServiceAccounts or users.

Compensating Controls: Implement Kubernetes RBAC policies to strictly limit the permissions of ServiceAccounts used by Fleet and ensure that sensitive secrets are encrypted at rest.

Public Exploit Available: Unknown

This vulnerability is highly critical for organizations using Fleet for GitOps in Kubernetes. Immediate patching is necessary to prevent potential lateral movement and secret theft within clusters.