Legacy PRTB Reconciler Flaw Grants Unauthorized PSA Permissions in Rancher

Executive Summary

CVE-2026-44947 is a vulnerability in Rancher that allows users to retain unauthorized Pod Security Admission (PSA) permissions even after an administrator removes those permissions from a RoleTemplate.

This happens because the legacy Project Role Template Binding (PRTB) reconciler, which is the default configuration in affected Rancher versions, does not properly clean up the associated PSA ClusterRole and ClusterRoleBinding when the updatepsa permission is removed from a RoleTemplate.

As a result, users keep persistent unauthorized access to modify PSA enforcement levels across project namespaces.

The vulnerability affects Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3, and is fixed in versions 2.13.7 and 2.14.3.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing users to retain unauthorized permissions to modify Pod Security Admission (PSA) enforcement levels within project namespaces.

Such unauthorized access could lead to weakening of security policies enforced by PSA, potentially allowing users to bypass security restrictions intended to protect containerized workloads.

This persistent unauthorized access increases the risk of privilege escalation and unauthorized changes to security configurations, which could compromise the security posture of your Kubernetes environment managed by Rancher.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows users to retain unauthorized Pod Security Admission (PSA) permissions even after an administrator removes those permissions from a RoleTemplate. This unauthorized persistence of permissions could lead to unauthorized access or modification of security enforcement levels across project namespaces.

Such unauthorized access and improper permission management may impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and proper management of permissions to protect sensitive data and maintain security.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves users retaining unauthorized Pod Security Admission (PSA) permissions due to stale PSA ClusterRoles and ClusterRoleBindings not being cleaned up after permissions are removed from a RoleTemplate.

To detect this issue, administrators should check for the presence of stale PSA ClusterRoles and ClusterRoleBindings that remain after updates to RoleTemplates.

While specific commands are not provided in the resources, typical Kubernetes commands to list ClusterRoles and ClusterRoleBindings can be used to identify stale permissions, such as:

• kubectl get clusterroles | grep psa
• kubectl get clusterrolebindings | grep psa

Reviewing these outputs for entries that should have been removed after RoleTemplate updates can help detect the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, administrators should manually delete stale PSA ClusterRoles and ClusterRoleBindings that persist after removing updatepsa permissions from a RoleTemplate.

Additionally, upgrading Rancher to versions 2.14.3 or 2.13.7 or later will include the fix for this issue.

If possible, enabling the aggregated-roletemplates feature flag can prevent this issue by ensuring proper state reconciliation.

Useful 0 Not Useful 0