Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable management API (AV:N/AC:L), attacker must be a logged-in user (PR:L), no interaction; authorization bypass yields high control-plane confidentiality, integrity, and availability impact.
Primary rating from Vendor (suse).
CVSS VectorVendor: suse
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2.
AnalysisAI
Privilege escalation in Rancher 2.13 (before 2.13.6) and 2.14 (before 2.14.2) lets any authenticated user gain principal access they should not hold, because the GitHub authentication provider incorrectly caches the result of team membership expansion. The flaw (CWE-303, CVSS 8.8) means a low-privileged GitHub-authenticated user can be granted access tied to other principals/teams, effectively bypassing intended authorization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Rancher be configured to use the GitHub authentication provider (the vulnerable team-membership-expansion path) and that the attacker possess a valid logged-in session (PR:L) - it is not anonymous/unauthenticated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8 High) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with high confidentiality, integrity, and availability impact - consistent with an authenticated user gaining unauthorized principal access in a cluster-management plane. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds any valid GitHub-backed Rancher login authenticates to the Rancher server; due to the faulty team-membership cache, Rancher serves them principal access belonging to another user/team, granting cluster or project rights they were never assigned. Leveraging that elevated principal, the attacker reads secrets or modifies workloads across clusters they should not control. … |
| Remediation | Vendor-released patch: upgrade Rancher to 2.13.6 (for the 2.13 line) or 2.14.2 (for the 2.14 line) as the primary fix; consult the SUSE/Rancher advisory at https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh for upgrade guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Rancher instances running versions 2.13.x (before 2.13.6) or 2.14.x (before 2.14.2) and immediately disable GitHub authentication provider; switch to alternative auth (OIDC, local accounts, or other providers). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
{token}_{clusterId}.yaml. CVSS 4.0 rates this 9.4 (Critical) with a scope-changing impact on subsequent systems, but no
SAML assertion replay in Rancher's Assertion Consumer Service (ACS) handler lets a person-in-the-middle who captures a v
Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to im
A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -ski
Authentication bypass in SUSE Rancher's in-cluster admission webhook (rancher-webhook) lets a network-adjacent, unauthen
Privilege persistence in SUSE Rancher allows project users to retain Pod Security Admission (PSA) permissions even after
Path traversal in Rancher Fleet's ImageScan subsystem (CWE-23) allows authenticated remote attackers to escape intended
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40297
GHSA-4j6x-2764-m8gh