8.8

CVE-2026-41053

Over-inclusive team membership expansion in GitHub App authentication provider for Rancher

Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SuseRancher Version >= 2.13.0 < 2.13.6
SuseRancher Version >= 2.14.0 < 2.14.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.289
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
meissner@suse.de 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-303 Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh
Patch
Vendor Advisory
Mitigation