CVE-2025-23387

Name of the Vulnerable Software and Affected Versions Rancher versions prior to v2.8.13 Rancher versions prior to v2.9.7 Rancher versions prior to v2.10.3

Description A vulnerability has been identified in Rancher where an unauthenticated user can list and delete CLI authentication tokens, preventing users from logging in via the CLI. This issue affects SAML-based authentication providers and occurs because the login flow from the CLI polls the /v3-public/authTokens/<token name> endpoint. The token is encrypted and cannot be used to impersonate a real user if intercepted. Rancher deployments using only the local authentication provider or non-SAML-based authentication providers are not impacted.

Recommendations For versions prior to v2.8.13, upgrade to version v2.8.13 or later. For versions prior to v2.9.7, upgrade to version v2.9.7 or later. For versions prior to v2.10.3, upgrade to version v2.10.3 or later. As a temporary workaround, users can refrain from using the Rancher CLI to log in.