{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44936","assignerOrgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","state":"PUBLISHED","assignerShortName":"suse","dateReserved":"2026-05-08T12:29:48.967Z","datePublished":"2026-07-06T09:30:20.688Z","dateUpdated":"2026-07-06T12:47:45.102Z"},"containers":{"cna":{"providerMetadata":{"orgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","shortName":"suse","dateUpdated":"2026-07-06T09:30:20.688Z"},"title":"Rancher Fleet SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml","datePublic":"2026-05-28T09:28:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-918","description":"CWE-918 Server-Side request forgery (SSRF)","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-122","descriptions":[{"lang":"en","value":"CAPEC-122 Privilege Abuse"}]}],"affected":[{"vendor":"SUSE","product":"Rancher","packageName":"Fleet","repo":"https://github.com/rancher/fleet","versions":[{"status":"affected","version":"0.15.0","lessThan":"0.15.2","versionType":"semver"},{"status":"affected","version":"0.14.0","lessThan":"0.14.6","versionType":"semver"},{"status":"affected","version":"0.13.0","lessThan":"0.13.11","versionType":"semver"},{"status":"affected","version":"0.12.0","lessThan":"0.12.15","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Missing filtering when the helmRepoURLRegex field isn't set on a GitRepo resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials (BasicAuth) to any URL specified in the helm.repo field of a fleet.yaml file, allowing attackers able to push to fleet monitored git repos to leak helm access credentials.","supportingMedia":[{"type":"text/html","base64":false,"value":"Missing filtering when the <code>helmRepoURLRegex</code> field isn't set on a <code>GitRepo</code> resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials (<code>BasicAuth</code>) to any URL specified in the <code>helm.repo</code> field of a <code>fleet.yaml</code> file, allowing attackers able to push to fleet monitored git repos to leak helm access credentials."}]}],"references":[{"url":"https://github.com/advisories/GHSA-hx4v-cxpf-vh8m","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}}],"source":{"discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-06T12:47:38.527371Z","id":"CVE-2026-44936","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-06T12:47:45.102Z"}}]}}