PT-2026-55164 · Go · Github.Com/Rancher/Rancher
Published
2026-07-01
·
Updated
2026-07-01
CVSS v3.1
8.4
High
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
Impact
A vulnerability has been identified in Rancher Manager that allows users assigned the Project Owner role to modify Pod Security Admission (PSA) labels on namespaces within their projects. Under the default role configuration, an attacker with the following access pattern can exploit this issue:
- Cluster Access: The user is granted Cluster Member access.
- Project Ownership: The user creates or is assigned ownership of a project.
- Namespace Creation: The user creates a namespace within that project.
- PSA Modification: The user modifies the namespace PSA configuration to use the privileged profile.
- Privilege Escalation: The user deploys privileged workloads within the namespace.
As outlined in the Kubernetes Pod Security Standards documentation,
privileged containers disable core Kubernetes security protections, allowing workloads to bypass standard container isolation boundaries. This can result in privilege escalation within the cluster environment.Potential impacts include:
- Deployment of privileged containers
- Access to host-level resources
- Container breakout
- Cluster privilege escalation
- Compromise of workloads running on affected nodes
Please refer to the associated MITRE ATT&CK techniques for further information about this category of attack:
Patches
This vulnerability is resolved by modifying the
project-owner role to explicitly define the allowed verbs for projects resources instead of using the wildcard (*) permission.The updated role configuration removes access to the
updatepsa verb. This prevents project owners from modifying PSA settings in a manner that could enable privilege escalation.Patched versions of Rancher include releases
v2.12.10, v2.13.6, and v2.14.2.Workarounds
If upgrading is not immediately possible, administrators should create a custom project role based on the existing Project Owner role, while removing unrestricted wildcard permissions for project resources.
The allowed verbs for projects should be restricted to: “
get, update, delete, patch, create, list, watch, deletecollection” instead of “*”.This prevents access to the
updatepsa capability that enables the privilege escalation path.References
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Rancher/Rancher