Detect Rancher Fleet Cross-Namespace Secret Disclosure via Unvalidated valuesFrom References in Splunk
CVE-2026-44935 is a critical (CVSS 9.9) authorization bypass vulnerability in Rancher Fleet's Helm Deployer affecting versions 0.12.0-0.12.14, 0.13.0-0.13.10, 0.14.0-0.14.5, and 0.15.0-0.15.1. The Helm Deployer fails to validate namespace boundaries when resolving `valuesFrom` references in GitRepo or Bundle resources, allowing an attacker with access to one namespace to craft a GitRepo or Bundle that references Secrets or ConfigMaps from arbitrary namespaces including cluster-scoped secrets. This constitutes an incorrect authorization check (CWE-863) that can expose credentials, API keys, and sensitive configuration from namespaces the attacker should not have access to. A public PoC is available.
MITRE ATT&CK
- Tactic
- Credential Access Discovery
SPL Detection Query
index=kubernetes sourcetype=kube:audit
| where object_ref.resource IN ("secrets", "configmaps")
| where verb IN ("get", "list", "watch")
| where like(user.username, "system:serviceaccount:%fleet%")
| eval source_namespace=mvindex(split(user.username, ":"), 2)
| where object_ref.namespace!=source_namespace AND isnotnull(object_ref.namespace) AND isnotnull(source_namespace)
| eval success=if(response_status.code==200 OR response_status.code==201, 1, 0)
| where success=1
| stats count AS cross_ns_reads, values(object_ref.name) AS accessed_secrets, values(object_ref.namespace) AS target_namespaces BY source_namespace, user.username, _time span=5m
| where cross_ns_reads > 0
| eval risk_score=case(cross_ns_reads > 10, 90, cross_ns_reads > 3, 70, true(), 50)
| sort -cross_ns_reads Detects Rancher Fleet service account cross-namespace secret and ConfigMap reads in Kubernetes audit logs, indicating potential exploitation of CVE-2026-44935 via unvalidated valuesFrom references.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized cross-namespace Fleet configurations explicitly permitted by cluster administrators
- Fleet operators who have intentionally granted elevated RBAC roles to Fleet service accounts
- Automated testing pipelines that deploy Fleet configurations referencing secrets across namespaces in non-production clusters
Other platforms for CVE-2026-44935
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Fleet valuesFrom Cross-Namespace Secret Read
Expected signal: Kubernetes audit log entry: verb=get, resource=secrets, objectRef.name=victim-secret, objectRef.namespace=fleet-test-victim, user.username=system:serviceaccount:fleet-test-attacker:fleet-*, responseStatus.code=200
- Test 2Enumerate Existing GitRepo valuesFrom Cross-Namespace References
Expected signal: Script output listing cross-namespace references; Kubernetes API audit logs for GET gitrepos and GET bundles at cluster scope
- Test 3Fleet Service Account RBAC Permission Audit for Secret Access
Expected signal: kubectl auth can-i commands generate Kubernetes audit log entries for SubjectAccessReview API calls; RBAC audit output identifies over-privileged Fleet service accounts
- Test 4Monitor Fleet Controller Live for Cross-Namespace Secret Access Events
Expected signal: Real-time stdout alerts for each cross-namespace secret or configmap read event matching Fleet service account patterns
Unlock Pro Content
Get the full detection package for CVE-2026-44935 including response playbook, investigation guide, and atomic red team tests.