PT-2026-55202 · Fleet · Fleet
Published
2026-07-01
·
Updated
2026-07-06
·
CVE-2026-44937
CVSS v4.0
8.3
High
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Fleet versions prior to 0.15.2
Fleet versions prior to 0.14.6
Fleet versions prior to 0.13.11
Fleet versions prior to 0.12.15
Description
An issue exists when the webhook endpoint is configured without a secret, allowing unauthenticated attackers to forge webhook requests. The root cause is improper authentication and validation of requests combined with regex-based injection via unescaped repository URL and path components. An attacker can send crafted payloads to the webhook endpoint without needing to know the specific repository or path configured in the GitRepo resource. This can lead to continuous repository re-cloning, resulting in network traffic increases and resource exhaustion on the management cluster, causing a denial of service. Additionally, if the attacker has read access to the target Git repository and knows its path, they can downgrade running services to any historical revision available in the remote repository.
Recommendations
Upgrade to version 0.15.2.
Upgrade to version 0.14.6.
Upgrade to version 0.13.11.
Upgrade to version 0.12.15.
As a temporary workaround, ensure that webhooks are only enabled when configured with a shared secret.
Fix
DoS
SSRF
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Fleet