CVE-2026-44935: Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be us
Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-44935
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-449350.58% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 44% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-44935 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- high[UPDATE] [high] Fleet: Multiple vulnerabilitiescert-bund
Recent advisories for Missing validation of
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highGHSA-g5r6-gv6m-f5jv: mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attac…ghsa · 2026-07-10
- criticalCVE-2026-15282: The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to mi…nvd · 2026-07-10
- mediumCVE-2026-59807: Composio SDK before 0.2.32-beta.283 contains a path validation bypass vulnerability that allow…nvd · 2026-07-08
- mediumCVE-2026-9731: The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio…nvd · 2026-07-08
- highCVE-2026-14489: The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing f…nvd · 2026-07-08
- highGHSA-pmch-g965-grmr: Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbi…ghsa · 2026-07-02
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11