Skip to main content

Rancher EUVDEUVD-2026-40304

| CVE-2026-44946 CRITICAL
Authentication Bypass by Capture-replay (CWE-294)
2026-06-30 suse
9.5
CVSS 4.0 · Vendor: suse
Share

Severity by source

Vendor (suse) PRIMARY
9.5 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

Network-reachable but requires a MITM position to capture a live assertion (AC:H); no credentials to replay (PR:N); Rancher compromise cascades to managed clusters (S:C, C:H/I:H), with no direct availability impact (A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

Primary rating from Vendor (suse).

CVSS VectorVendor: suse

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 30, 2026 - 14:01 EUVD
Analysis Generated
Jun 30, 2026 - 12:52 vuln.today

DescriptionCVE.org

A SAML authentication replay vulnerability in Rancher's Assertion Consumer Service (ACS) handler did not enforce one-time use of SAML assertion, potentially allowing person in the middle attacks against Rancher, affecting Rancher 2.14.0 before 2.14.3,

AnalysisAI

SAML assertion replay in Rancher's Assertion Consumer Service (ACS) handler lets a person-in-the-middle who captures a victim's SAML response reuse that assertion to authenticate as the victim, because the handler never enforces one-time use. Rancher 2.14.0 through 2.14.2 are affected, and because Rancher governs downstream Kubernetes clusters, a successful replay can yield administrative control. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain MITM position on SAML path
Delivery
Capture victim's signed SAML assertion
Exploit
Replay assertion to Rancher ACS endpoint
Execution
Authenticate as victim user
Persist
Assume administrative control of Rancher
Impact
Pivot to managed Kubernetes clusters

Vulnerability AssessmentAI

Exploitation Exploitation requires that Rancher 2.14.0-2.14.2 is configured to use SAML single sign-on, and that the attacker can observe and replay a victim's valid SAML assertion - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should temper the headline 9.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned as a person-in-the-middle on the network path between an administrator's browser and Rancher (or between Rancher and the IdP) captures the signed SAML response as the admin logs in. Because the ACS handler does not invalidate already-used assertions, the attacker replays the same assertion to the ACS endpoint and is authenticated as that administrator, then leverages Rancher's control plane to reach managed Kubernetes clusters. …
Remediation Vendor-released patch: upgrade to Rancher 2.14.3, which the version range ('2.14.0 before 2.14.3') confirms as the fixed release; follow the upgrade guidance in advisory https://github.com/rancher/rancher/security/advisories/GHSA-c5jm-xcmq-9j95. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Rancher deployments running versions 2.14.0, 2.14.1, or 2.14.2 with SAML authentication enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy