Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires a MITM position to capture a live assertion (AC:H); no credentials to replay (PR:N); Rancher compromise cascades to managed clusters (S:C, C:H/I:H), with no direct availability impact (A:N).
Primary rating from Vendor (suse).
CVSS VectorVendor: suse
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A SAML authentication replay vulnerability in Rancher's Assertion Consumer Service (ACS) handler did not enforce one-time use of SAML assertion, potentially allowing person in the middle attacks against Rancher, affecting Rancher 2.14.0 before 2.14.3,
AnalysisAI
SAML assertion replay in Rancher's Assertion Consumer Service (ACS) handler lets a person-in-the-middle who captures a victim's SAML response reuse that assertion to authenticate as the victim, because the handler never enforces one-time use. Rancher 2.14.0 through 2.14.2 are affected, and because Rancher governs downstream Kubernetes clusters, a successful replay can yield administrative control. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Rancher 2.14.0-2.14.2 is configured to use SAML single sign-on, and that the attacker can observe and replay a victim's valid SAML assertion - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should temper the headline 9.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned as a person-in-the-middle on the network path between an administrator's browser and Rancher (or between Rancher and the IdP) captures the signed SAML response as the admin logs in. Because the ACS handler does not invalidate already-used assertions, the attacker replays the same assertion to the ACS endpoint and is authenticated as that administrator, then leverages Rancher's control plane to reach managed Kubernetes clusters. … |
| Remediation | Vendor-released patch: upgrade to Rancher 2.14.3, which the version range ('2.14.0 before 2.14.3') confirms as the fixed release; follow the upgrade guidance in advisory https://github.com/rancher/rancher/security/advisories/GHSA-c5jm-xcmq-9j95. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Rancher deployments running versions 2.14.0, 2.14.1, or 2.14.2 with SAML authentication enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
{token}_{clusterId}.yaml. CVSS 4.0 rates this 9.4 (Critical) with a scope-changing impact on subsequent systems, but no
Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to im
Privilege escalation in Rancher 2.13 (before 2.13.6) and 2.14 (before 2.14.2) lets any authenticated user gain principal
A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -ski
Authentication bypass in SUSE Rancher's in-cluster admission webhook (rancher-webhook) lets a network-adjacent, unauthen
Privilege persistence in SUSE Rancher allows project users to retain Pod Security Admission (PSA) permissions even after
Path traversal in Rancher Fleet's ImageScan subsystem (CWE-23) allows authenticated remote attackers to escape intended
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40304