CVE-2026-41050
CriticalSummary
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo.
Risk Assessment
The organization may be exposed to unauthorized access to sensitive data, potentially leading to serious security breaches and loss of information confidentiality.
Recommendation
It is recommended to update Fleet to the latest version to ensure full application of ServiceAccount impersonation and restrict repository access only to trusted users.
Original NVD description (English source)
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.

