PT-2026-55202 · Fleet · Fleet

Published

2026-07-01

·

Updated

2026-07-06

·

CVE-2026-44937

CVSS v4.0

8.3

High

VectorAV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 0.15.2 Fleet versions prior to 0.14.6 Fleet versions prior to 0.13.11 Fleet versions prior to 0.12.15
Description An issue exists when the webhook endpoint is configured without a secret, allowing unauthenticated attackers to forge webhook requests. The root cause is improper authentication and validation of requests combined with regex-based injection via unescaped repository URL and path components. An attacker can send crafted payloads to the webhook endpoint without needing to know the specific repository or path configured in the GitRepo resource. This can lead to continuous repository re-cloning, resulting in network traffic increases and resource exhaustion on the management cluster, causing a denial of service. Additionally, if the attacker has read access to the target Git repository and knows its path, they can downgrade running services to any historical revision available in the remote repository.
Recommendations Upgrade to version 0.15.2. Upgrade to version 0.14.6. Upgrade to version 0.13.11. Upgrade to version 0.12.15. As a temporary workaround, ensure that webhooks are only enabled when configured with a shared secret.

Fix

DoS

SSRF

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44937
GHSA-JMF4-M7J9-G72R

Affected Products

Fleet