Rancher FleetWorkspace (v0.7.0-0.10.7) Unauth Webhook Priv Esc
CVE-2026-44949 Published on June 30, 2026
Unauthenticated namespace creation and RBAC injection via rancher-webhook FleetWorkspace mutating webhook
A Rancher FleetWorkspace admission path allowed side effects to occur in
the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to
the in-cluster rancher-webhook service
could submit a crafted admission payload and cause workspace-related
Kubernetes objects to be created with attacker-chosen identity data.
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2026-44949
Want to know whenever a new CVE is published for Suse Rancher? stack.watch will email you.
Affected Versions
SUSE Rancher:- Version 0.7.0 and below 0.7.10 is affected.
- Version 0.8.0 and below 0.8.7 is affected.
- Version 0.9.0 and below 0.9.6 is affected.
- Version 0.10.0 and below 0.10.7 is affected.