An attacker with git push access to a
Fleet-monitored repository could overwrite Pod Security Standards (PSS)
enforcement labels on a target namespace. This allows the attacker to
weaken admission controls and deploy workloads that PSS policies would
otherwise block.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-864g-863m-vcvq | Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent |
Tue, 07 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 07 Jul 2026 14:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) when applying them to the target namespace. An attacker with git push access to a Fleet-monitored repository could overwrite Pod Security Standards (PSS) enforcement labels on a target namespace. This allows the attacker to weaken admission controls and deploy workloads that PSS policies would otherwise block. | |
| Title | Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent | |
| Weaknesses | CWE-522 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: suse
Published:
Updated: 2026-07-07T14:07:50.221Z
Reserved: 2026-05-08T12:29:48.967Z
Link: CVE-2026-44938
Updated: 2026-07-07T14:07:45.835Z
No data.
No data.
OpenCVE Enrichment
No data.
Github GHSA