Rancher 2.13/2.14 Auth Caching Grants Admin Access to Any User
CVE-2026-41053 Published on June 30, 2026

Over-inclusive team membership expansion in GitHub App authentication provider for Rancher
Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-41053 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Incorrect Implementation of Authentication Algorithm

The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. This incorrect implementation may allow authentication to be bypassed.


Products Associated with CVE-2026-41053

Want to know whenever a new CVE is published for Suse Rancher? stack.watch will email you.

 

Affected Versions

SUSE Rancher: