Privilege Escalation in Rancher via Project Owner Role

Compliance Impact

This vulnerability allows users with the Project Owner role to escalate privileges to host-level access by modifying Pod Security Admission labels, enabling deployment of privileged workloads and potentially leading to container breakout and cluster-wide privilege escalation.

Such unauthorized privilege escalation and potential access to sensitive host and cluster resources can compromise the confidentiality, integrity, and availability of data and systems.

As a result, this vulnerability could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity.

Useful 0 Not Useful 0

Executive Summary

This vulnerability in Rancher Manager (CVE-2026-41052) allows users with the Project Owner role to escalate their privileges to host-level access.

The issue arises because Project Owners can modify Pod Security Admission (PSA) labels on namespaces within their projects, enabling them to deploy privileged workloads.

By setting the PSA profile to privileged, attackers can bypass Kubernetes security protections, which can lead to container breakout, access to host resources, and potential cluster-wide privilege escalation.

This affects Rancher versions 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized privilege escalation from a Project Owner role to host-level access.

An attacker exploiting this can deploy privileged workloads by modifying PSA labels, bypass Kubernetes security protections, and potentially break out of containers.

This can lead to unauthorized access to host resources and cluster-wide privilege escalation, compromising the confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if users with the Project Owner role have the ability to modify Pod Security Admission (PSA) labels on namespaces within their projects. Specifically, you should verify if the Project Owner role includes the permission to update PSA profiles, which could allow deployment of privileged workloads.

To detect potential exploitation or presence of this vulnerability, you can audit Kubernetes namespaces for PSA profiles set to privileged and review role bindings for Project Owner permissions related to PSA label modifications.

Suggested commands include:

• kubectl get rolebinding -A | grep 'project-owner' # To find Project Owner role bindings
• kubectl get roles -A -o yaml | grep -A 5 'updatepsa' # To check if the updatepsa verb is allowed
• kubectl get namespaces -o jsonpath='{range .items[*]}{.metadata.name}{": "}{.metadata.labels}{"\n"}{end}' | grep 'pod-security.kubernetes.io/enforce=privileged' # To find namespaces with privileged PSA profiles

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the available patches by upgrading Rancher to versions 2.12.10, 2.13.6, or 2.14.2 or later.

As a workaround until patches are applied, administrators should restrict the Project Owner role by removing the `updatepsa` verb permission or create a custom role with limited permissions that do not allow modification of Pod Security Admission labels.

Additionally, review and restrict the ability to set PSA profiles to privileged to prevent deployment of privileged workloads that could lead to privilege escalation.

Useful 0 Not Useful 0