Skip to main content

Rancher Manager CVE-2026-44939

| EUVDEUVD-2026-38009 CRITICAL
Eval Injection (CWE-95)
2026-06-19 suse GHSA-mhc6-2gfq-xx62
Critical
Disputed · 9.4 Vendor: suse
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (suse) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network-reachable import endpoint with no auth (AV:N/PR:N), low complexity, requires an operator to import the poisoned YAML (UI:R), and escapes the agent container into the managed cluster (S:C, C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: suse

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 19, 2026 - 14:31 EUVD
Analysis Generated
Jun 19, 2026 - 13:03 vuln.today

DescriptionCVE.org

A command injection vulnerability in the Rancher Manager cluster before 2.14.2 import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters could allow remote attackers to break out of an image, and execute e.g. malicious containers.

AnalysisAI

{token}_{clusterId}.yaml. CVSS 4.0 rates this 9.4 (Critical) with a scope-changing impact on subsequent systems, but no public exploit was identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Rancher Manager < 2.14.2
Delivery
Craft YAML payload with injected directives
Exploit
Deliver poisoned /v3/import URL or manifest to operator
Execution
Operator imports manifest triggering YAML parameter evaluation
Persist
Injected code escapes Rancher agent image
Impact
Deploy attacker-controlled containers across managed cluster

Vulnerability AssessmentAI

Exploitation Exploitation requires reaching the Rancher Manager /v3/import/{token}_{clusterId}.yaml endpoint over the network and supplying attacker-influenced YAML parameters; per CVSS PR:N no Rancher authentication is needed, but UI:P means a legitimate operator (or automation) must passively act on the poisoned import - typically by applying or fetching the manifest during a normal cluster registration flow. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P) combined with High vulnerable- and subsequent-system impact (VC/VI/VA and SC/SI/SA all H) reflects a network-reachable, unauthenticated injection whose blast radius extends from Rancher into the managed clusters - a realistic worst case for a multi-cluster control plane. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker crafts a malicious cluster-import URL or YAML payload that smuggles directives through the YAML parameters of /v3/import/{token}_{clusterId}.yaml; when a Rancher operator (or an automated pipeline) imports or fetches the poisoned manifest, the injected code executes in the cluster agent context, escapes the agent image, and deploys attacker-controlled containers into the target cluster. No public exploit identified at time of analysis, but the attack flow is straightforward given the network attack vector and low complexity.
Remediation Upgrade Rancher Manager to version 2.14.2 or later, which is the vendor-released patch referenced by GHSA-mhc6-2gfq-xx62 (https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct immediate inventory of SUSE components using asset discovery tools and assess network exposure of affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-44939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy