Tag

#Rancher

newsCRITICAL 9.4

Rancher Vulnerable to Command Injection via Unsanitized YAML Parameter (CVE-2026-44939)

A critical command injection vulnerability (CVE-2026-44939, CVSS 9.4) has been identified in Rancher Manager's cluster import endpoint. An attacker can exploit this flaw by injecting malicious YAML configurations, potentially achieving full control over downstream Kubernetes clusters. Affected versions of Rancher must be updated to patched releases to mitigate this vulnerability.

1 source
articleCRITICAL 9.4

Critical Privilege Escalation Vulnerability in Rancher Manager

A critical vulnerability (CVE-2026-41052) with a CVSS score of 9.4 has been identified in Rancher Manager, allowing users with the Project Owner role to escalate privileges to the host level. This vulnerability is exploitable under specific access patterns, enabling attackers to deploy privileged containers, access host-level resources, and potentially compromise the entire cluster. The vulnerability has not been actively exploited but requires immediate attention. Affected versions can be patched by upgrading to Rancher versions v2.12.10, v2.13.6, or v2.14.2.

1 source
articleHIGH 8.8

Critical Authentication Bypass Vulnerability in Rancher GitHub Authentication Provider (CVE-2026-41053)

A critical vulnerability (CVE-2026-41053) with a CVSS score of 8.8 was discovered in the Rancher GitHub authentication provider. This vulnerability allows for incorrect authentication caching, granting principal access to any logged-in user. Affected versions include Rancher 2.13 before 2.13.6 and 2.14 before 2.14.2. Organizations are urged to upgrade to patched versions immediately to prevent potential authentication bypass attacks.

1 source