CVE Daily
← All tags

Tag: Rancher

All CVEs associated with "Rancher". Page 1/1 • 59 CVEs.

About “Rancher”

A curated feed of “Rancher”-related CVEs appears below. We currently track 59 CVEs for this tag (all time). In the last 365 days, 10 were published. Average CVSS is 7.8 (all time; 6.9 over 365d), and 76% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-532 - Insertion of Sensitive Information into Log File, CWE-269 - Improper Privilege Management, CWE-35 - Path Traversal: '.../...//'.

In our taxonomy this topic maps to a MODERATE impact class. Container and Kubernetes fixes usually require image rebuilds and control plane or node upgrades. Prioritize exposed surfaces, restart workloads on patched bases, and tighten RBAC and NetworkPolicies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: rancher

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
2.142.14.2
2.132.13.6
2.122.12.10
2.112.11.14 Soon
2.102.10.12 Soon
2.92.9.12 Expired
2.82.8.15 Expired
2.72.7.18 Expired
2.62.6.14 Expired
2.52.5.17 Expired
2.42.4.18 Expired
2.32.3.11 Expired
2.22.2.13 Expired
2.12.1.14 Expired
2.02.0.16 Expired
1.61.6.30 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Rancher”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-28
High

CVE-2026-44543

Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in…

CVSS: 8.7 CWE: CWE-269 - Improper Privilege Management View on NVD
2026-05-13
High

CVE-2026-25705

A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher throu…

CVSS: 8.4 CWE: CWE-35 - Path Traversal: '.../...//' View on NVD
2026-03-04
Medium

CVE-2025-62879

A vulnerability has been identified within the Rancher Backup Operator, resulting in the leakage of S3 tokens (both accessKey and secretKey) into the rancher-backup-operator pod's logs.

CVSS: 6.8 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2026-02-25
High

CVE-2025-67601

A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the –cacert…

CVSS: 8.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-10-29
Medium

CVE-2024-58269

A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Ran…

CVSS: 4.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2023-32199

A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to…

CVSS: 4.3 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
2025-10-02
High

CVE-2024-58267

A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-ba…

CVSS: 8.0 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
High

CVE-2024-58260

A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources t…

CVSS: 7.6 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-54468

A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpo…

CVSS: 4.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-09-02
High

CVE-2024-58259

A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a m…

CVSS: 8.2 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2025-04-16
High

CVE-2024-52281

A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue…

CVSS: 8.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2024-22036

A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environme…

CVSS: 9.1 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2023-32197

A Improper Privilege Management vulnerability in SUSE rancher in RoleTemplateobjects when external=true is set can lead to privilege escalation in specific scenarios.This issue affects rancher: from…

CVSS: 6.6 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-04-11
High

CVE-2024-52280

A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher which allows users to watch resources they are not allowed to access, when they have at least some generic…

CVSS: 7.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2025-23391

A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts. This issue affects rancher: fro…

CVSS: 9.1 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2025-23389

A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login. This issue affects rancher: from 2.8.0 before 2…

CVSS: 8.4 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-23388

A Stack-based Buffer Overflow vulnerability in SUSE rancher allows for denial of service.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.

CVSS: 8.2 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Medium

CVE-2025-23387

A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able t…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-52282

A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with GET access to the Rancher Manager Apps Catalog to read any sensitive information th…

CVSS: 6.2 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-11-13
Critical

CVE-2022-45157

A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphe…

CVSS: 9.1 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2024-10-16
High

CVE-2024-22030

A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired doma…

CVSS: 8.0 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-22650

A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies t…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2023-22649

A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-use…

CVSS: 8.4 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2023-12-12
High

CVE-2020-10676

In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project.

CVSS: 8.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-06-01
High

CVE-2023-22648

A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users t…

CVSS: 8.0 CWE: CWE-271 - Privilege Dropping / Lowering Errors View on NVD
Critical

CVE-2023-22647

An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the s…

CVSS: 9.9 CWE: CWE-267 - Privilege Defined With Unsafe Actions View on NVD
High

CVE-2022-43760

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is executed…

CVSS: 8.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-05-30
Low

CVE-2023-32684

Lima launches Linux virtual machines, typically on macOS, for running containerd. Prior to version 0.16.0, a virtual machine instance with a malicious disk image could read a single file on the host…

CVSS: 2.7 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
2023-05-04
Critical

CVE-2023-22651

Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook.…

CVSS: 9.9 CWE: CWE-269 - Improper Privilege Management View on NVD
2023-02-07
High

CVE-2022-43759

A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue aff…

CVSS: 7.2 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2022-43758

A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm cat…

CVSS: 7.6 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2022-43757

A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue aff…

CVSS: 9.9 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
Medium

CVE-2022-43756

A Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in SUSE Rancher allows remote attackers to cause denial of service by supplying spec…

CVSS: 5.9 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
High

CVE-2022-43755

A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Ran…

CVSS: 7.1 CWE: CWE-331 - Insufficient Entropy View on NVD
High

CVE-2022-31249

A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying hos…

CVSS: 7.5 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2022-21953

A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher…

CVSS: 7.4 CWE: CWE-862 - Missing Authorization View on NVD
2022-09-07
Critical

CVE-2022-31247

An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, ma…

CVSS: 9.1 CWE: CWE-285 - Improper Authorization View on NVD
Critical

CVE-2021-36783

A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners and Project Members to read credentials, passwords and API to…

CVSS: 9.9 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Critical

CVE-2021-36782

A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes AP…

CVSS: 9.9 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2022-05-25
Medium

CVE-2022-21951

A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted…

CVSS: 6.8 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-05-02
Medium

CVE-2021-4200

A Improper Privilege Management vulnerability in SUSE Rancher allows write access to the Catalog for any user when restricted-admin role is enabled. This issue affects: SUSE Rancher Rancher versions…

CVSS: 5.4 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2021-36784

A Improper Privilege Management vulnerability in SUSE Rancher allows users with the restricted-admin role to escalate to full admin. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13;…

CVSS: 7.2 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2021-36778

A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Ranche…

CVSS: 7.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2022-04-04
High

CVE-2021-36776

A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10.

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2021-36775

a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versi…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
2022-04-01
High

CVE-2022-21947

A Exposure of Resource to Wrong Sphere vulnerability in Rancher Desktop of SUSE allows attackers in the local network to connect to the Dashboard API (steve) to carry out arbitrary actions. This issu…

CVSS: 8.3 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2021-07-28
Medium

CVE-2021-32001

K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private…

CVSS: 6.5 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2021-07-15
High

CVE-2021-31999

A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the "Impersonate-User" or "Impersonate-Grou…

CVSS: 8.8 CWE: CWE-807 - Reliance on Untrusted Inputs in a Security Decision View on NVD
Critical

CVE-2021-25320

A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach…

CVSS: 9.9 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2021-25318

A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions p…

CVSS: 8.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2021-03-05
High

CVE-2021-25313

A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rancher allows remote attackers to execute JavaScript via malicious links. This issue affects:…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-09-04
Medium

CVE-2019-13209

Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-07-30
Critical

CVE-2019-11202

An issue was discovered that affects the following versions of Rancher: v2.0.0 through v2.0.13, v2.1.0 through v2.1.8, and v2.2.0 through 2.2.1. When Rancher starts for the first time, it creates a d…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2019-06-10
Medium

CVE-2019-11881

A vulnerability exists in Rancher before 2.2.4 in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols.…

CVSS: 4.7 CWE: N/A View on NVD
2019-06-06
High

CVE-2019-12303

In Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container.

CVSS: 8.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
High

CVE-2019-12274

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain…

CVSS: 8.8 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2019-04-10
High

CVE-2019-6287

In Rancher 2.0.0 through 2.1.5, project members have continued access to create, update, read, and delete namespaces in a project after they have been removed from it.

CVSS: 8.1 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2018-20321

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute admi…

CVSS: 8.8 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2017-03-29
High

CVE-2017-7297

Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/serve…

CVSS: 8.8 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox