Github.Com Rancher Rancher vulnerabilities

CVE-2021-25320 [CRITICAL] CWE-284 Rancher cloud credentials can be used through proxy API by users without access Rancher cloud credentials can be used through proxy API by users without access A vulnerability was discovered in Rancher 2.2.0 through the aforementioned patched versions, where cloud credentials weren't being properly validated through the Rancher API. Specifically through a proxy designed to communicate with cloud providers. Any Rancher user that was logged-in and aware of a clou

CVE-2022-31247 [CRITICAL] CWE-285 Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) ### Impact An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where a flaw with authorization logic allows privilege escalation through cluster role template binding (CRTB) and project role template binding

CVE-2021-36783 [CRITICAL] CWE-200 Rancher doesn't properly sanitize credentials in cluster template answers Rancher doesn't properly sanitize credentials in cluster template answers ### Impact It was discovered that in Rancher versions up to and including 2.5.12 and 2.6.3 there is a failure to properly sanitize credentials in cluster template answers. This failure can lead to plaintext storage and exposure of credentials, passwords and API tokens. The exposed credentials are visible in Ranche

CVE-2023-22648 [HIGH] CWE-269 Rancher's Azure AD permission changes are not reflected on active sessions Rancher's Azure AD permission changes are not reflected on active sessions A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group

CVE-2022-21951 [MEDIUM] CWE-311 Rancher's weave CNI password is not configured when a cluster is created from an RKE template Rancher's weave CNI password is not configured when a cluster is created from an RKE template ### Impact This vulnerability only affects customers using [Weave](https://rancher.com/docs/rancher/v2.6/en/faq/networking/cni-providers/#weave) CNI (Container Network Interface) when configured through [RKE templates](https://rancher.com/docs/rancher/v2.6/en/admin-settings/rke

CVE-2025-67601 [HIGH] CWE-295 Rancher CLI skips TLS verification on Rancher CLI login command Rancher CLI skips TLS verification on Rancher CLI login command ### Impact A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the `-skip-verify` flag to the Rancher CLI login command without also passing the `–cacert` flag results in the CLI attempting to fetch CA certificates stored in Rancher’s setting cacerts. This does not apply to any ot

CVE-2024-58269 [MEDIUM] CWE-532 Rancher exposes sensitive information through audit logs Rancher exposes sensitive information through audit logs ### Impact **Note: The exploitation of this issue requires that the malicious user have access to Rancher’s audit log storage.** A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Rancher audit logs. This happ

CVE-2023-32199 [MEDIUM] CWE-281 Rancher user retains access to clusters despite Global Role removal Rancher user retains access to clusters despite Global Role removal ### Impact A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters. This only affects custom Global Roles that: - Have a `*` on `*` in `*` rule for resources - Have a `*` on `*` rul

CVE-2024-58267 [HIGH] CWE-345 Rancher CLI SAML authentication is vulnerable to phishing attacks Rancher CLI SAML authentication is vulnerable to phishing attacks ### Impact A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens. Rancher Manager deployments without SAML authentication

CVE-2024-58260 [HIGH] CWE-863 Rancher update on users can deny the service to the admin Rancher update on users can deny the service to the admin ### Impact A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. Specifically: - Username takeover: A user with permission to update another user’s resource c

CVE-2025-54468 [MEDIUM] CWE-200 Rancher sends sensitive information to external services through the `/meta/proxy` endpoint Rancher sends sensitive information to external services through the `/meta/proxy` endpoint ### Impact A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information

CVE-2024-58259 [HIGH] CWE-770 Rancher affected by unauthenticated Denial of Service Rancher affected by unauthenticated Denial of Service ### Impact A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are fully loaded into memory during processing. This could result in: - Denial

CVE-2024-22031 [HIGH] CWE-863 Rancher users who can create Projects can gain access to arbitrary projects Rancher users who can create Projects can gain access to arbitrary projects ### Impact A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other project in the different cluster, resultin

CVE-2025-23391 [CRITICAL] CWE-266 Rancher: Restricted Administrator can change Administrator's passwords Rancher: Restricted Administrator can change Administrator's passwords ### Impact A vulnerability has been identified within Rancher where a Restricted Administrator can change the password of Administrators and take over their accounts. A Restricted Administrator should be not allowed to change the password of more privileged users unless it contains the Manage Users permissions. Rancher

CVE-2025-23389 [HIGH] CWE-284 Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login ### Impact A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login. The issue occurs when a SAML authentication provider (AP) is configured (e.g. Keycloak). A ne

CVE-2025-23388 [HIGH] CWE-121 Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API ### Impact An unauthenticated stack overflow crash, leading to a denial of service (DoS), was identified in Rancher’s `/v3-public/authproviders` public API endpoint. A malicious user could submit data to the API which would cause the Rancher server to crash, but no malicious or incorrect data would actuall

CVE-2025-23387 [MEDIUM] CWE-200 Rancher's SAML-based login via CLI can be denied by unauthenticated users Rancher's SAML-based login via CLI can be denied by unauthenticated users ### Impact A vulnerability has been identified within Rancher where it is possible for an unauthenticated user to list all CLI authentication tokens and delete them before the CLI is able to get the token value. This effectively prevents users from logging in via the CLI when using rancher token as the execution comma

CVE-2024-52281 [HIGH] CWE-79 Rancher UI has Stored Cross-site Scripting vulnerability Rancher UI has Stored Cross-site Scripting vulnerability ### Impact A vulnerability has been identified within Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field. Please consult the associated [MITRE ATT&CK - Technique - Drive-by Compromise](https://attack.mitre.org/techniques/T1189/) for further information about this category of attack. ### Patches

CVE-2024-52282 [MEDIUM] CWE-200 Rancher Helm Applications may have sensitive values leaked Rancher Helm Applications may have sensitive values leaked ### Impact A vulnerability has been identified within Rancher Manager whereby applications installed via Rancher Manager Apps Catalog store their Helm values directly into the `Apps` Custom Resource Definition, resulting in any users with `GET` access to it to be able to read any sensitive information that are contained within the Apps’ values. Ad

CVE-2024-22036 [CRITICAL] CWE-269 Rancher Remote Code Execution via Cluster/Node Drivers Rancher Remote Code Execution via Cluster/Node Drivers ### Impact A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the `chroot` jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land within the Rancher container itself. For the test and development envi