CVE-2026-44935 Google Chronicle · YARA-L

Detect Rancher Fleet Cross-Namespace Secret Disclosure via Unvalidated valuesFrom References in Google Chronicle

CVE-2026-44935 is a critical (CVSS 9.9) authorization bypass vulnerability in Rancher Fleet's Helm Deployer affecting versions 0.12.0-0.12.14, 0.13.0-0.13.10, 0.14.0-0.14.5, and 0.15.0-0.15.1. The Helm Deployer fails to validate namespace boundaries when resolving `valuesFrom` references in GitRepo or Bundle resources, allowing an attacker with access to one namespace to craft a GitRepo or Bundle that references Secrets or ConfigMaps from arbitrary namespaces including cluster-scoped secrets. This constitutes an incorrect authorization check (CWE-863) that can expose credentials, API keys, and sensitive configuration from namespaces the attacker should not have access to. A public PoC is available.

MITRE ATT&CK

Tactic
Credential Access Discovery

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule rancher_fleet_cve_2026_44935_cross_namespace_secret_read {
  meta:
    author = "df00tech"
    description = "Detects Rancher Fleet cross-namespace secret disclosure CVE-2026-44935"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/rancher/fleet/security/advisories/GHSA-xr65-5cpm-g36x"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.target.resource.type = "KUBERNETES_OBJECT"
    $e.target.resource.resource_subtype in ("secrets", "configmaps")
    $e.network.http.method in ("GET", "LIST")
    $e.principal.user.userid matches /system:serviceaccount:.*fleet.*/
    $e.network.http.response_code = 200
    $source_ns = re.capture($e.principal.user.userid, "system:serviceaccount:([^:]+):")
    $e.target.namespace != $source_ns
    $e.target.namespace != ""

  match:
    $e.principal.user.userid over 5m

  outcome:
    $risk_score = 85
    $target_namespace = $e.target.namespace
    $source_namespace = $source_ns
    $secret_name = $e.target.resource.name

  condition:
    $e
}
critical severity medium confidence

Chronicle YARA-L rule detecting Rancher Fleet service accounts successfully reading secrets or configmaps from namespaces different from their own, indicating exploitation of CVE-2026-44935.

Data Sources

Google Cloud Kubernetes Engine audit logsChronicle Kubernetes log ingestion

Required Tables

GCP_CLOUDAUDIT

False Positives & Tuning

  • Authorized cross-namespace Fleet configurations in clusters with relaxed multi-tenancy controls
  • Fleet upgrade procedures that require temporary elevated secret access across namespaces
  • GKE Autopilot or Workload Identity configurations where Fleet service accounts are granted broader permissions

Other platforms for CVE-2026-44935


Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Fleet valuesFrom Cross-Namespace Secret Read

    Expected signal: Kubernetes audit log entry: verb=get, resource=secrets, objectRef.name=victim-secret, objectRef.namespace=fleet-test-victim, user.username=system:serviceaccount:fleet-test-attacker:fleet-*, responseStatus.code=200

  2. Test 2Enumerate Existing GitRepo valuesFrom Cross-Namespace References

    Expected signal: Script output listing cross-namespace references; Kubernetes API audit logs for GET gitrepos and GET bundles at cluster scope

  3. Test 3Fleet Service Account RBAC Permission Audit for Secret Access

    Expected signal: kubectl auth can-i commands generate Kubernetes audit log entries for SubjectAccessReview API calls; RBAC audit output identifies over-privileged Fleet service accounts

  4. Test 4Monitor Fleet Controller Live for Cross-Namespace Secret Access Events

    Expected signal: Real-time stdout alerts for each cross-namespace secret or configmap read event matching Fleet service account patterns

Unlock Pro Content

Get the full detection package for CVE-2026-44935 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections