CVE-2026-44939
Awaiting Analysis Awaiting Analysis - Queue

Command Injection in Rancher Manager Cluster

Vulnerability report for CVE-2026-44939, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-24

Assigner: SUSE

Description

A command injection vulnerability in the Rancher Manager cluster before 2.14.2 import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters could allow remote attackers to break out of an image, and execute e.g. malicious containers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-24
Generated
2026-07-11
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
rancher rancher From 2.10.0 (inc) to 2.14.2 (exc)
rancher rancher 2.14.2
rancher rancher 2.13.6
rancher rancher 2.12.10
rancher rancher 2.11.14
rancher rancher 2.10.12

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44939 is a critical command injection vulnerability in Rancher Manager versions from 2.10.0 to 2.14.1. It exists in the cluster import endpoint `/v3/import/{token}_{clusterId}.yaml`, specifically in the `authImage` query parameter which is not properly sanitized before being rendered into a Kubernetes manifest template.

Attackers can exploit this by injecting URL-encoded newlines into the `authImage` parameter, allowing them to break out of the intended image field and insert malicious YAML configurations. This can lead to execution of arbitrary containers.

To exploit this, an attacker needs a valid cluster registration token and requires a victim to run `kubectl apply` on a crafted malicious URL. This results in deploying a DaemonSet on all control-plane nodes with privileged access, enabling the attacker to execute commands, access sensitive files like `/etc/kubernetes`, and gain full control over downstream clusters.

Impact Analysis

This vulnerability can have severe impacts including full compromise of Rancher-managed Kubernetes clusters. An attacker can execute arbitrary commands on control-plane nodes, deploy malicious containers, and gain privileged access to sensitive cluster data.

The attacker-controlled DaemonSet runs with host network access and privileged service accounts, allowing them to disrupt cluster operations, access confidential information, and potentially spread control to downstream clusters.

Detection Guidance

This vulnerability can be detected by inspecting the kube-api-auth DaemonSet in the cattle-system namespace for suspicious configurations that may indicate exploitation.

A suggested command to check for suspicious DaemonSet configurations is:

  • kubectl -n cattle-system get daemonset kube-api-auth -o yaml

Review the output for any unexpected or malicious YAML configurations, especially those that might have been injected via the authImage parameter.

Mitigation Strategies

Immediate mitigation steps include inspecting the kube-api-auth DaemonSet in the cattle-system namespace for suspicious or unauthorized configurations.

Before applying any manifests from the import endpoint, verify their integrity to ensure they have not been tampered with.

Upgrade Rancher Manager to a patched version such as 2.14.2, 2.13.6, 2.12.10, 2.11.14, or 2.10.12, which include validation of the authImage parameter to prevent this injection.

Compliance Impact

The vulnerability allows attackers to execute arbitrary commands and gain full control over downstream clusters, including access to sensitive data and the ability to disrupt operations.

Such unauthorized access and control over sensitive data could lead to violations of common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing or manipulating protected data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44939. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart