Skip to main content

SUSE Harvester CVE-2025-71261

| EUVDEUVD-2025-210170 HIGH
Improper Certificate Validation (CWE-295)
2026-05-06 https://github.com/harvester/harvester GHSA-pgh9-mpwc-8jjf
8.6
CVSS 3.1 · Vendor: https://github.com/harvester/harvester
Share

Severity by source

Vendor (https://github.com/harvester/harvester) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (https://github.com/harvester/harvester).

CVSS VectorVendor: https://github.com/harvester/harvester

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 06, 2026 - 21:01 vuln.today
Analysis Generated
May 06, 2026 - 21:01 vuln.today
CVE Published
May 06, 2026 - 20:16 nvd
HIGH 8.6

DescriptionCVE.org

Impact

A vulnerability has been identified in the SUSE Virtualization (Harvester) Rancher integration mechanism where by default the registration client uses an insecure TLS option that fails to verify the remote server’s certificate. This security gap could allow the execution of a man-in-the-middle (MitM) attack against SUSE Virtualization.

An attacker with network-level access between the SUSE Virtualization and Rancher Manager could interfere with the TLS handshake and abuse it to bypass TLS as a security control. The registration client could be misled to send cluster registration requests to an impersonated remote service. Additionally, because the system processes response payloads without performing size validation, an attacker could induce a memory buffer overflow, leading to a potential crash of the SUSE Virtualization registration controller.

Note that this vulnerability only affects the cluster registration configuration (the cluster-registration-url setting) which is distinct from the secured configuration used to maintain operational connectivity between SUSE Virtualization and Rancher Manager, as well as between the manager and hosted downstream clusters.

Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle and MITRE ATT&CK - Technique - Endpoint Denial of Service: Application or System Exploitation for further information about this category of attack.

Patches

This vulnerability is addressed by updating the registration client’s default behaviour to validate the certificate presented by the remote server against the list of trusted system root certificate authority (CA) and those defined by the additional-ca setting.

Patched versions of SUSE Virtualization include releases v1.8.0 or newer.

Workarounds

If developers can't upgrade to a fixed version, ensure that only authorized cluster administrators can access and modify the cluster-registration-url setting.

Resources

If there are any questions or comments about this advisory:

AnalysisAI

Man-in-the-middle attacks and denial of service against SUSE Harvester (SUSE Virtualization) affect all versions prior to 1.8.0 due to disabled TLS certificate verification in the Rancher integration registration client. Network-positioned attackers can intercept cluster registration traffic to steal credentials or trigger memory buffer overflow crashes. The vulnerability is limited to the initial cluster registration phase and does not affect ongoing operational connectivity between Harvester and Rancher Manager. Vendor-released patch available in version 1.8.0 with full certificate validation enabled by default. No active exploitation confirmed; no public exploit code identified at time of analysis.

Technical ContextAI

SUSE Harvester is a Kubernetes-based hyperconverged infrastructure platform that integrates with SUSE Rancher Manager for cluster management. The vulnerability (CWE-295: Improper Certificate Validation) exists in the Go-based registration client component (pkg:go/github.com/harvester/harvester) which handles the initial cluster registration handshake with Rancher Manager. By default, the client disables TLS certificate verification during this registration phase, accepting any certificate presented by the remote endpoint without validating it against system root CAs. This insecure default creates two distinct attack surfaces: first, the bypassed TLS validation enables classic MITM attacks where attackers can impersonate the Rancher Manager endpoint; second, the client processes server response payloads without size bounds checking, creating a memory buffer overflow condition. The flaw is specific to the cluster-registration-url configuration path and does not affect the separate secured communication channels used for post-registration cluster operations.

RemediationAI

Upgrade SUSE Harvester to version 1.8.0 or newer, which implements mandatory TLS certificate validation against system root CAs and certificates defined in the additional-ca setting. Download from official SUSE channels per the support matrix at https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/. If immediate upgrade is not feasible, implement compensating controls: restrict access to the cluster-registration-url configuration setting to authorized cluster administrators only using Kubernetes RBAC policies; deploy network segmentation to isolate Harvester-to-Rancher communication paths from untrusted networks; implement certificate pinning at the network layer if supported by your infrastructure; monitor registration traffic for TLS anomalies or unexpected certificate changes. Note that access restrictions only prevent unauthorized attackers from modifying registration endpoints-they do not prevent MITM attacks by network-positioned adversaries. These workarounds reduce but do not eliminate risk; upgrade remains the only complete remediation. Verify installation against SUSE product support lifecycle at https://www.suse.com/lifecycle/.

Vendor StatusVendor

SUSE

Severity: Important

Share

CVE-2025-71261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy