CVE-2025-54468

Name of the Vulnerable Software and Affected Versions Rancher Manager versions prior to 2.9.12 Rancher Manager versions prior to 2.10.10 Rancher Manager versions prior to 2.11.6 Rancher Manager versions prior to 2.12.2

Description A flaw exists in Rancher Manager that allows sensitive information, such as email addresses, to be sent in Impersonate-Extra-* headers to external entities when creating new cloud credentials. This occurs via the /meta/proxy API endpoint. The information is sent to whitelisted domains specified in nodedrivers.management.cattle.io objects, including domains like amazonaws.com and api.digitalocean.com. The headers involved include Impersonate-Extra-Username and Impersonate-Extra-Principalid. Passwords, password hashes, and Rancher authentication tokens are not leaked.

Recommendations Update Rancher Manager to version 2.9.12 or later. Update Rancher Manager to version 2.10.10 or later. Update Rancher Manager to version 2.11.6 or later. Update Rancher Manager to version 2.12.2 or later.