CVE-2024-58260
published 2025-10-02CVE-2024-58260: A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with…
PriorityP342high7.6CVSS 3.1
AVNACLPRHUINSCCNILAH
EPSS
0.45%
36.1th percentile
A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 2.10.0 < 2.10.10 | 2.10.10 |
| github.com | rancher_rancher | >= 2.11.0 < 2.11.6 | 2.11.6 |
| github.com | rancher_rancher | >= 2.12.0 < 2.12.2 | 2.12.2 |
| github.com | rancher_rancher | >= 2.9.0 < 2.9.12 | 2.9.12 |
| suse | rancher | >= 2.10.0 < 2.10.10 | 2.10.10 |
| suse | rancher | >= 2.11.0 < 2.11.6 | 2.11.6 |
| suse | rancher | >= 2.12.0 < 2.12.2 | 2.12.2 |
| suse | rancher | >= 2.9.0 < 2.9.12 | 2.9.12 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rancher update on users can deny the service to the admin in github.com/rancher/rancher
osv·2025-10-23
CVE-2024-58260 Rancher update on users can deny the service to the admin in github.com/rancher/rancher
Rancher update on users can deny the service to the admin in github.com/rancher/rancher
Rancher update on users can deny the service to the admin in github.com/rancher/rancher.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/rancher/rancher from v2.9.0 before v2.9.12, from v2.10.0 before v2.10.10, from v2.11.0 before v2.11.6, from v2.12.0 before v2.12.2.
GHSA
Rancher update on users can deny the service to the admin
ghsa·2025-09-26
CVE-2024-58260 [HIGH] CWE-863 Rancher update on users can deny the service to the admin
Rancher update on users can deny the service to the admin
### Impact
A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. Specifically:
- Username takeover: A user with permission to update another user’s resource can set its `.username` to "admin", preventing both the legitimate admin and the affected user from logging in, as Rancher enforces uniqueness at login time.
- Account lockout: A user with update permissions on the admin account can change the admin’s username, effectively blocking administrative access to the Rancher UI.
This issue enables a malicious or compromised account with eleva
OSV
Rancher update on users can deny the service to the admin
osv·2025-09-26
CVE-2024-58260 [HIGH] Rancher update on users can deny the service to the admin
Rancher update on users can deny the service to the admin
### Impact
A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. Specifically:
- Username takeover: A user with permission to update another user’s resource can set its `.username` to "admin", preventing both the legitimate admin and the affected user from logging in, as Rancher enforces uniqueness at login time.
- Account lockout: A user with update permissions on the admin account can change the admin’s username, effectively blocking administrative access to the Rancher UI.
This issue enables a malicious or compromised account with eleva
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-02
Published