PT-2026-54762 · Fleet · Fleet

Published

2026-07-01

·

Updated

2026-07-06

·

CVE-2026-44936

CVSS v3.1

5.0

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 0.12.15 Fleet versions prior to 0.13.11 Fleet versions prior to 0.14.6 Fleet versions prior to 0.15.2
Description Fleet forwards Helm authentication credentials (BasicAuth) to any URL specified in the helm.repo field of a fleet.yaml file when the helmRepoURLRegex field is not set on a GitRepo resource. An attacker with git push access to a monitored repository can specify a malicious URL in helm.repo, causing the Fleet controller to send the configured Helm repository username and password to the attacker's server.
Recommendations Upgrade to Fleet versions 0.12.15, 0.13.11, 0.14.6, or 0.15.2. As a temporary workaround, set the helmRepoURLRegex on all GitRepo resources that use helmSecretName to ensure the regular expression matches only legitimate Helm repository URLs. Review the system for potentially leaked credentials and replace any compromised credentials.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44936
GHSA-HX4V-CXPF-VH8M

Affected Products

Fleet