← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-41052 · Disclosed 2026-05-27

SUSE Rancher Manager Project Owner PSA bypass enabling privileged workloads

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

It’s a project admin quietly finding the lever that turns guardrails into suggestions

CVE-2026-41052 affects SUSE Rancher Manager and lets a user with the built-in Project Owner role change Pod Security Admission settings on namespaces inside their project, then deploy privileged workloads that Rancher policy was supposed to block. Per the Rancher advisory, affected ranges are >=2.14.0,<2.14.2, >=2.13.0,<2.13.6, and >=2.12.0,<2.12.10; fixed releases are 2.14.2, 2.13.6, and 2.12.10.

GitHub/SUSE scored it High 8.4 on May 27, 2026, but that is too hot for enterprise patch triage. This is not an unauthenticated internet bug; it is a post-auth, role-bound authorization flaw that mainly matters in multi-tenant Rancher environments where you rely on PSA to keep semi-trusted project owners from running privileged containers.

"Real tenant-boundary bypass, but it needs authenticated project-owner access and a shared-cluster setup"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land as a legitimate Rancher user

The attacker needs a valid Rancher account and, per the advisory, effective Cluster Member access. The practical tooling is just the Rancher UI or API session; there is no memory corruption or protocol trick here. This is already post-initial-access and immediately narrows the exposed population.
Conditions required:
  • Valid Rancher credentials
  • Access to a Rancher-managed cluster
  • Rancher Manager in an affected version range
Where this breaks in practice:
  • MFA, SSO, and identity governance should block or at least log account abuse
  • Many internet-exposed Rancher instances are still not exploitable without tenant credentials
Detection/coverage: Identity telemetry is the best sensor here: SSO, Rancher audit logs, and unusual logins. Version scanners can flag vulnerable Rancher builds, but they cannot prove abuse.
STEP 02

Gain or hold Project Owner on a target project

The advisory's abuse path assumes the user either creates a project they own or is assigned Project Owner on one. That role is the real gate: without it, the bug does not open the PSA bypass path. Tooling is still ordinary Rancher role assignment and project administration, not exploit code.
Conditions required:
  • Project Owner role on a project
  • Project uses Rancher's default built-in role behavior
Where this breaks in practice:
  • Many enterprises keep Project Owner assignment relatively tight
  • If the tenant is already trusted to run sensitive workloads, the incremental risk is lower
Detection/coverage: Review ProjectRoleTemplateBinding changes and admin-side role grants. Most scanners miss this because it is an authorization design issue, not a package fingerprint alone.
STEP 03

Flip namespace PSA to privileged

Using the built-in role's unintended updatepsa capability, the attacker changes namespace Pod Security Admission labels to a privileged profile. This is the key semantic break: policy enforcement meant to stop privileged pods becomes tenant-editable. A simple kubectl or Rancher API call is enough.
Conditions required:
  • Ability to create or manage a namespace in the owned project
  • Namespace PSA labels are enforced as the control boundary
Where this breaks in practice:
  • Some environments enforce equivalent restrictions elsewhere with admission controllers or policy engines
  • Change auditing on namespace labels can expose the move before payload deployment
Detection/coverage: Look for changes to namespace labels such as pod-security.kubernetes.io/enforce, audit, and warn, especially transitions toward privileged.
STEP 04

Deploy privileged workload and reach host-level impact

Once PSA is weakened, the attacker can deploy a privileged pod with host access patterns that were supposed to be blocked. From there, the path can lead to host resource access, container breakout opportunities, and broader cluster compromise depending on node hardening and workload design. The common weaponized tool is simply kubectl apply with a privileged pod spec, not a custom exploit.
Conditions required:
  • Privileged workload admission succeeds after PSA change
  • Node/runtime hardening does not block the follow-on host interaction
Where this breaks in practice:
  • Runtime controls like Kyverno/Gatekeeper/Falco/EDR can catch or block privileged pod behavior
  • Actual host compromise still depends on what the privileged pod is allowed to mount and touch
Detection/coverage: Kubernetes audit logs, admission controller logs, and runtime sensors should all light up on privileged pod creation. Scanner coverage is weak; behavior telemetry is stronger.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo KEV listing and no public exploitation evidence found in the sources reviewed. I found no GreyNoise, CISA, or vendor statement indicating active attacks.
PoC availabilityNo standalone public PoC repo or exploit script found. The best public abuse recipe is the vendor's own 5-step advisory path: Cluster Member → Project Owner → namespace creation → PSA change → privileged workload.
Vendor/CNA advisoryRancher's GitHub advisory GHSA-vx8h-4prv-g744 was published on 2026-05-27.
Vendor severity reality checkContrary to the initial prompt, Rancher/GitHub now publishes High 8.4 with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H. noisgate still treats this as assessed because your workflow explicitly requested a first-principles severity call.
CVSS vector interpretationPR:H and UI:R tell the story: this is not a drive-by internet bug. It assumes an authenticated, already-entitled tenant who can perform project administration actions.
Affected versions>=2.14.0,<2.14.2, >=2.13.0,<2.13.6, >=2.12.0,<2.12.10 per the Rancher advisory.
Fixed versionsPatch to 2.14.2, 2.13.6, or 2.12.10. The fix removes unintended updatepsa access from the built-in project-owner role.
Exposure populationRancher admin consoles are commonly internet-reachable over HTTPS, but that barely moves this CVE because the bug still requires valid tenant credentials plus Project Owner. I found no public scan/telemetry dataset specific to CVE-2026-41052 in the reviewed sources.
EPSSNo FIRST EPSS score found in the reviewed public sources. Treat EPSS as effectively unavailable rather than as a low-risk signal.
Researcher / creditThe GitHub advisory credits MMunier and Trolldemorted as finders.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.1/10)

The decisive downgrade pressure is attacker position: exploitation requires a legitimate Rancher tenant with Project Owner rights, so this is a post-auth shared-cluster boundary failure, not broad remote compromise. The impact can be ugly once reached, but the reachable population is much smaller than the vendor CVSS suggests.

HIGH Affected/fixed version ranges and patch status
MEDIUM Real-world exploitability and fleet-level urgency

Why this verdict

  • Post-auth and role-bound: attacker needs valid Rancher access plus the built-in Project Owner role before the bug matters
  • Shared-cluster dependent: the risk is materially higher only where you rely on PSA to constrain semi-trusted tenants inside the same cluster
  • Impact is real once reached: privileged workload deployment can cross from project admin into host/cluster-level consequences

Why not higher?

This is not unauthenticated remote code execution, not a pre-auth admin-console takeover, and not a bug every internet scanner can weaponize at scale. The prerequisite chain compounds hard: valid account, correct cluster role, project ownership, namespace control, and a deployment model where PSA is the control boundary.

Why not lower?

Once the path is available, the attacker is not just changing metadata; they can authorize privileged containers that may reach host resources and enable cluster escalation. In organizations using Rancher for multi-tenant guardrails, that is a meaningful security boundary failure and deserves more than backlog-only treatment.

05 · Compensating Control

What to do — in priority order.

  1. Replace the built-in role path — If you cannot patch immediately, create a custom Project Owner-like role that removes unrestricted project-resource wildcard behavior and does not grant updatepsa. For a MEDIUM noisgate verdict there is no mitigation SLA, but do this immediately on shared clusters because it cuts off the only documented abuse path.
  2. Alert on PSA downgrades — Monitor namespace label changes to pod-security.kubernetes.io/*, especially moves toward privileged. There is no mitigation SLA for MEDIUM, but this control gives you near-term visibility while you work through the remediation window.
  3. Block privileged pod specs elsewhere — Use admission policy or runtime controls outside Rancher's built-in role model to deny privileged containers, host PID/IPC, hostPath, and similar high-risk settings. There is no mitigation SLA for MEDIUM, but this adds a second enforcement layer if PSA becomes tenant-editable.
  4. Tighten Project Owner assignment — Treat Project Owner as a high-trust role in shared clusters and review who actually needs it. There is no mitigation SLA for MEDIUM, but reducing role sprawl directly shrinks the exploitable population.
What doesn't work
  • A WAF does not help; this is normal authenticated use of Rancher/Kubernetes APIs, not a web injection bug.
  • Internet ACLs alone do not solve it; the actor can be an internal user or a valid remote tenant.
  • MFA alone reduces account theft risk but does nothing against a legitimately entitled Project Owner.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or admin jump box that already has kubectl pointed at the management cluster hosting Rancher. Invoke it as bash check_cve_2026_41052.sh cattle-system; it needs read access to the rancher deployment in that namespace and outputs VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_41052.sh
# Detects whether the Rancher Manager version is in an affected range for CVE-2026-41052.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -euo pipefail

NS="${1:-cattle-system}"
DEPLOY="rancher"

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

ver_lt() {
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ] && [ "$1" != "$2" ]
}

ver_ge() {
  ! ver_lt "$1" "$2"
}

normalize() {
  local v="$1"
  v="${v##*:}"
  v="${v#v}"
  echo "$v"
}

if ! have_cmd kubectl; then
  echo "UNKNOWN: kubectl not found"
  exit 2
fi

image="$(kubectl -n "$NS" get deploy "$DEPLOY" -o jsonpath='{.spec.template.spec.containers[0].image}' 2>/dev/null || true)"
if [ -z "$image" ]; then
  echo "UNKNOWN: unable to read deployment $DEPLOY in namespace $NS"
  exit 2
fi

version="$(normalize "$image")"
if [ -z "$version" ]; then
  echo "UNKNOWN: could not parse Rancher image tag from '$image'"
  exit 2
fi

branch="$(echo "$version" | awk -F. '{print $1"."$2}')"

case "$branch" in
  2.14)
    if ver_ge "$version" "2.14.0" && ver_lt "$version" "2.14.2"; then
      echo "VULNERABLE: Rancher $version matches >=2.14.0,<2.14.2"
      exit 1
    elif ver_ge "$version" "2.14.2"; then
      echo "PATCHED: Rancher $version is >=2.14.2"
      exit 0
    fi
    ;;
  2.13)
    if ver_ge "$version" "2.13.0" && ver_lt "$version" "2.13.6"; then
      echo "VULNERABLE: Rancher $version matches >=2.13.0,<2.13.6"
      exit 1
    elif ver_ge "$version" "2.13.6"; then
      echo "PATCHED: Rancher $version is >=2.13.6"
      exit 0
    fi
    ;;
  2.12)
    if ver_ge "$version" "2.12.0" && ver_lt "$version" "2.12.10"; then
      echo "VULNERABLE: Rancher $version matches >=2.12.0,<2.12.10"
      exit 1
    elif ver_ge "$version" "2.12.10"; then
      echo "PATCHED: Rancher $version is >=2.12.10"
      exit 0
    fi
    ;;
  *)
    echo "UNKNOWN: Rancher $version is outside the advisory's documented affected branches (2.12/2.13/2.14)"
    exit 2
    ;;
esac

echo "UNKNOWN: unable to classify Rancher version $version"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, identify every Rancher management cluster on 2.12.x, 2.13.x, or 2.14.x, then separate shared-cluster / semi-trusted tenant deployments from everything else. For this MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; patch to 2.12.10, 2.13.6, or 2.14.2 inside the noisgate remediation SLA of ≤ 365 days, and, where you actually depend on PSA to contain project owners, remove updatepsa-equivalent access as an immediate hardening step even though there is no formal mitigation deadline.

Sources

  1. Rancher GitHub advisory GHSA-vx8h-4prv-g744
  2. SUSE Rancher Manager v2.14 Security Advisories and CVEs
  3. SUSE Rancher Manager v2.12 Security Advisories and CVEs
  4. SUSE Rancher Manager v2.14.2 release notes
  5. SUSE Rancher Manager v2.12.10 release notes
  6. Kubernetes Pod Security Standards
  7. CISA Known Exploited Vulnerabilities Catalog
  8. Rancher releases
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.