SAML Replay Vulnerability in Rancher

Executive Summary

CVE-2026-44946 is a SAML authentication replay vulnerability in Rancher affecting versions 2.11.0 to 2.14.2. The issue lies in Rancher's Assertion Consumer Service (ACS) handler, which does not enforce one-time use of SAML assertions. This flaw allows an attacker to replay a valid, signed SAML response to create new authenticated sessions as the victim.

The vulnerability impacts all SAML-based authentication providers integrated with Rancher, such as Okta, Ping, ADFS, Keycloak, and Shibboleth, because they share the same ACS handler.

Exploitation requires the attacker to obtain a valid SAML response, the victim's pre-authentication SAML state cookie, and meet other conditions. Successful exploitation grants the attacker the victim's permissions, including administrative access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to impersonate a legitimate user by replaying a valid SAML authentication response, thereby gaining unauthorized access to Rancher sessions.

The attacker can obtain the same permissions as the victim, which may include administrative privileges, potentially leading to unauthorized control over Rancher environments.

Such unauthorized access can compromise the confidentiality and integrity of your systems and data managed through Rancher.

Useful 0 Not Useful 0

Detection Guidance

There is no specific detection command or method provided in the available resources for identifying exploitation of this SAML authentication replay vulnerability on your network or system.

However, monitoring for repeated or replayed SAML assertions at the Rancher Assertion Consumer Service (ACS) endpoint could help detect suspicious activity. Network monitoring tools could be used to inspect SAML responses for reuse, but no explicit commands or tools are detailed.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Rancher to a patched version where the vulnerability is fixed. The patched versions are 2.11.15, 2.12.11, 2.13.7, and 2.14.3.

• Apply server-side tracking of SAML assertion IDs to enforce one-time use.
• Enforce stricter validation of SAML assertion validity windows.
• Reduce the validity period of SAML assertions.
• Restrict network access to the SAML ACS endpoint.
• Enforce TLS inspection to protect the SAML authentication traffic.

No complete workaround exists, so upgrading and applying these mitigations is critical.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-44946 vulnerability allows attackers to replay valid SAML authentication assertions to gain unauthorized access, including administrative privileges, to Rancher systems. This unauthorized access can lead to breaches of confidentiality and integrity of sensitive data.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information to protect data privacy and security.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to compromised authentication mechanisms and unauthorized data access.

Useful 0 Not Useful 0