Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker is a project user (PR:L) exploiting stale bindings; AC:H reflects the specific precondition sequence required; no confidentiality or availability impact.
Primary rating from Vendor (suse).
CVSS VectorVendor: suse
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those permissions from a RoleTemplate.
AnalysisAI
Privilege persistence in SUSE Rancher allows project users to retain Pod Security Admission (PSA) permissions even after an administrator revokes those permissions from a RoleTemplate, due to a missing cleanup step in the legacy Project Role Template Binding (PRTB) reconciler. Affected versions are Rancher 2.13.0 through 2.13.7 and 2.14.0 through 2.14.3. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the target Rancher deployment must use the legacy PRTB reconciler code path (relevant to Rancher 2.13.0-2.13.7 or 2.14.0-2.14.3); (2) a user must have previously been assigned a RoleTemplate that included PSA permissions via a PRTB; and (3) an administrator must have since removed those PSA permissions from the RoleTemplate without the reconciler cleaning up the residual PSA bindings. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N) yields a score of 6.9 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Rancher project user was previously granted a RoleTemplate that included Pod Security Admission permissions allowing privileged pod deployment. An administrator later removed those PSA permissions from the RoleTemplate, believing the user's access was revoked. … |
| Remediation | Consult the vendor advisory at https://github.com/rancher/rancher/security/advisories/GHSA-c4rp-wgqc-mfhc for confirmed fix versions; based on the reported affected ranges (up to 2.13.7 and up to 2.14.3), fixed releases are expected to be 2.13.8 and 2.14.4 or later, but these versions have not been independently confirmed from the data provided. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
{token}_{clusterId}.yaml. CVSS 4.0 rates this 9.4 (Critical) with a scope-changing impact on subsequent systems, but no
SAML assertion replay in Rancher's Assertion Consumer Service (ACS) handler lets a person-in-the-middle who captures a v
Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to im
Privilege escalation in Rancher 2.13 (before 2.13.6) and 2.14 (before 2.14.2) lets any authenticated user gain principal
A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -ski
Authentication bypass in SUSE Rancher's in-cluster admission webhook (rancher-webhook) lets a network-adjacent, unauthen
Path traversal in Rancher Fleet's ImageScan subsystem (CWE-23) allows authenticated remote attackers to escape intended
Same weakness CWE-281 – Improper Preservation of Permissions
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40327