{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/regex-injection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Fleet (\u003e= 0.15.0 \u003c 0.15.2)","Fleet (\u003e= 0.14.0 \u003c 0.14.6)","Fleet (\u003e= 0.13.0 \u003c 0.13.11)","Fleet (\u003e= 0.12.0 \u003c 0.12.15)"],"_cs_severities":["high"],"_cs_tags":["rancher","fleet","vulnerability","webhook","regex-injection","denial-of-service","cloud-native","kubernetes","supply-chain"],"_cs_type":"advisory","_cs_vendors":["SUSE","Rancher"],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-44937, has been identified in Rancher Fleet, a GitOps at Scale project. When the webhook endpoint of Fleet is configured without a secret, an unauthenticated attacker can forge webhook requests. This allows the attacker to leverage a regex injection vulnerability via unsanitized repository URL components. Exploitation can lead to continuous repository re-cloning, causing significant network traffic and depleting resources on the management cluster, effectively resulting in a Denial of Service. Additionally, attackers with read access to the target Git repository can force a downgrade of running services to any historical revision. This vulnerability impacts Fleet versions prior to v0.15.2, v0.14.6, 0.13.11, and v0.12.15. The issue was reported by Radisauskas Arnoldas from NATO Cyber Security Centre.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Rancher Fleet instance with its webhook endpoint accessible and configured without a shared secret.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the Fleet webhook endpoint, such as \u003ccode\u003e/webhook\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker injects regular expression patterns into the repository URL components, exploiting the unsanitized input vulnerability (CVE-2026-44937).\u003c/li\u003e\n\u003cli\u003eFleet receives and processes the forged webhook request, attempting to interpret the malicious regex as a legitimate repository reference.\u003c/li\u003e\n\u003cli\u003eThis misinterpretation causes Fleet to initiate continuous, erroneous attempts to re-clone the specified (attacker-controlled or non-existent) repository.\u003c/li\u003e\n\u003cli\u003eThe constant re-cloning operations consume excessive network bandwidth and compute resources on the management cluster, leading to a Denial of Service state.\u003c/li\u003e\n\u003cli\u003eIf the attacker also has read access to the legitimate target Git repository, they can specify a historical revision via the regex injection to force a service downgrade.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an unauthenticated attacker to cause significant operational disruption. The primary impact is a Denial of Service (DoS) due to continuous repository re-cloning, which exhausts network resources and compute capacity on the management cluster. This can halt or severely degrade the normal operation of deployed applications and infrastructure managed by Fleet. A secondary impact, conditional on the attacker having read access to the target Git repository, is the ability to force running services to downgrade to any historical revision, potentially introducing older, vulnerable, or non-functional code. The full scope of victims is not specified, but any organization utilizing vulnerable Rancher Fleet configurations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rancher Fleet to a patched version (v0.15.2, v0.14.6, 0.13.11, or v0.12.15) to address CVE-2026-44937 immediately.\u003c/li\u003e\n\u003cli\u003eImplement the workaround by ensuring all Fleet webhooks are configured with a shared secret to prevent unauthenticated access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:26:19Z","date_published":"2026-07-03T12:26:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rancher-fleet-regex-injection/","summary":"An unauthenticated regex injection vulnerability exists in Rancher Fleet's webhook endpoint when it's configured without a secret, allowing attackers to forge webhook requests using unsanitized repository URL components, which leads to continuous repository re-cloning, causing network and resource exhaustion (Denial of Service) on the management cluster, and potentially service downgrades if the attacker has read access to the target Git repository.","title":"Rancher Fleet Unauthenticated Webhook Regex Injection (CVE-2026-44937)","url":"https://feed.craftedsignal.io/briefs/2026-07-rancher-fleet-regex-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Regex-Injection","version":"https://jsonfeed.org/version/1.1"}