Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.4

CVE-2026-41052: Rancher Privilege Escalation Vulnerability

CVE-2026-41052 GHSA-vx8h-4prv-g744
Summary

Rancher versions 2.14, 2.13, and 2.12 have a vulnerability that allows users with a specific role to gain higher-level access. This could allow them to make changes they shouldn't be able to make. To stay secure, update to the latest version of Rancher.

What to do
  • Update github.com rancher to version 2.14.2.
  • Update github.com rancher to version 2.13.6.
  • Update github.com rancher to version 2.12.10.
  • Update github.com rancher to version 0.0.0-20260513182521-2800aaac25b5.
Affected software
Ecosystem VendorProductAffected versions
suse rancher >= 2.12.0, < 2.12.10
>= 2.13.0, < 2.13.6
>= 2.14.0, < 2.14.2
cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*
go github.com rancher >= 2.14.0, < 2.14.2
>= 2.13.0, < 2.13.6
>= 2.12.0, < 2.12.10
< 0.0.0-20260513182521-2800aaac25b5
Fix: upgrade to 2.14.2
Original title
Rancher has Privilege Escalation from Project Owner to Host
Original description
### Impact

A vulnerability has been identified in Rancher Manager that allows users assigned the Project Owner role to modify Pod Security Admission (PSA) labels on namespaces within their projects. Under the default role configuration, an attacker with the following access pattern can exploit this issue:
1. **Cluster Access:** The user is granted Cluster Member access.
2. **Project Ownership:** The user creates or is assigned ownership of a project.
3. **Namespace Creation:** The user creates a namespace within that project.
4. **PSA Modification:** The user modifies the namespace PSA configuration to use the privileged profile.
5. **Privilege Escalation:** The user deploys privileged workloads within the namespace.

As outlined in the [Kubernetes Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) documentation, `privileged` containers disable core Kubernetes security protections, allowing workloads to bypass standard container isolation boundaries. This can result in privilege escalation within the cluster environment.

Potential impacts include:
- Deployment of privileged containers
- Access to host-level resources
- Container breakout
- Cluster privilege escalation
- Compromise of workloads running on affected nodes

Please refer to the associated MITRE ATT&CK techniques for further information about this category of attack:
- [Deploy Container](https://attack.mitre.org/techniques/T1610/)
- [Escape to Host](https://attack.mitre.org/techniques/T1611/)
- [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)

Reference:
[Kubernetes Pod Security Standards — Privileged Profile](https://kubernetes.io/docs/concepts/security/pod-security-standards/#privileged)

### Patches
This vulnerability is resolved by modifying the `project-owner` role to explicitly define the allowed verbs for `projects` resources instead of using the wildcard `(*)` permission.

The updated role configuration removes access to the `updatepsa` verb. This prevents project owners from modifying PSA settings in a manner that could enable privilege escalation.

Patched versions of Rancher include releases `v2.12.10`, `v2.13.6`, and `v2.14.2`.

### Workarounds
If upgrading is not immediately possible, administrators should create a custom project role based on the existing Project Owner role, while removing unrestricted wildcard permissions for project resources.

The allowed verbs for projects should be restricted to: “`get`, `update`, `delete`, `patch`, `create`, `list`, `watch`, `deletecollection`” instead of “`*`”.

This prevents access to the `updatepsa` capability that enables the privilege escalation path.

### References
If you have any questions or comments about this advisory:
- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.
- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.
- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).
nvd CVSS4.0 9.4
Vulnerability type
CWE-305
Published: 1 Jul 2026 · Updated: 4 Jul 2026 · First seen: 29 Jun 2026