← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-44939 · Disclosed 2026-05-27

SUSE Rancher Manager cluster import manifest YAML injection via `authImage`

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a poisoned shipping label that only matters if an admin prints it and sticks it on a live cluster

CVE-2026-44939 affects SUSE Rancher Manager cluster import manifests. SUSE says Rancher now validates the authImage parameter in cluster import manifests to prevent YAML injection. Fixed builds are v2.14.2, v2.13.6, v2.12.10, v2.11.14, and v2.10.12, which implies affected supported versions are the earlier releases on those branches. In practice, the weak point is the manifest-generation path used when registering/importing an existing Kubernetes cluster into Rancher.

There is no published CNA/NVD/MITRE CVSS baseline that I could find as of 2026-06-02, so this is a first-pass field assessment. The bug is real, but the vendor description overstates nothing and also leaves out the biggest real-world friction: this is not a spray-and-pray internet RCE. An attacker has to get into a cluster import workflow, influence the generated manifest, and then have that YAML applied by a privileged operator to a downstream cluster.

"Assessed at MEDIUM: dangerous cluster-side impact, but the exploit path rides a narrow admin import workflow."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get into the import workflow

The attacker first needs a path to a valid Rancher cluster registration/import operation, typically centered on the /v3/import/<token>.yaml flow documented by Rancher and commonly fetched with curl. The practical weapon here is not a scanner; it is access to a live registration token, an automation pipeline, or an operator session already performing cluster registration.
Conditions required:
  • Access to a Rancher instance running an affected version
  • A valid cluster import/registration token or equivalent workflow foothold
  • The target organization uses Rancher to register/import downstream clusters
Where this breaks in practice:
  • This is already post-initial-access in most enterprises
  • Not every Rancher deployment is actively importing clusters at a given moment
  • Registration tokens are workflow artifacts, not a universally exposed anonymous endpoint
Detection/coverage: Rancher audit logs, reverse proxy logs, and CI/CD logs may show access to /v3/import/*.yaml, but many shops do not baseline this path.
STEP 02

Inject through authImage into generated YAML

The exploit hinges on a crafted authImage value being accepted into the manifest-generation path and rendered into Kubernetes YAML without sufficient validation. The weaponized tool is the Rancher manifest generator itself: if input validation is missing, malicious content can be smuggled into the manifest as extra YAML structure rather than just an image string.
Conditions required:
  • The attacker can influence the authImage value or the request path that feeds it
  • The Rancher server is on an unfixed branch
Where this breaks in practice:
  • SUSE's public note is terse, so the exact injection primitive is not publicly documented
  • No public PoC was found, which raises attacker development cost
  • Ingress normalization, upstream validation, or wrapper automation may strip malformed input before it reaches Rancher
Detection/coverage: WAFs and generic HTTP signatures are weak here; the better signal is anomalous query strings or unexpected line-break/special-character patterns tied to import-manifest requests.
STEP 03

Have an operator apply the manifest with kubectl

Rancher documentation explicitly tells operators to copy the generated kubectl command and run it against the target cluster. That makes kubectl apply -f - the execution trigger: once the victim fetches and applies the poisoned YAML, the downstream cluster accepts whatever malicious resources were successfully injected.
Conditions required:
  • A human operator or automation runs the generated import command
  • The target kubeconfig points at the downstream cluster with sufficient rights, commonly cluster-admin for registration
Where this breaks in practice:
  • This step requires user interaction or automation execution
  • Many enterprise teams gate cluster registration through change control or platform engineering review
  • If the malformed YAML visibly breaks, the operator may stop before impact
Detection/coverage: Kubernetes audit logs and admission logs on the downstream cluster can capture unexpected resources created during the import window.
STEP 04

Land code or persistence in the downstream cluster

If the injected YAML can add or alter Kubernetes objects, the likely endgame is a malicious workload, secret access path, or RBAC change inside the imported cluster. The blast radius can be serious because import commands are typically executed with elevated privileges, but the impact is usually bounded to the specific downstream cluster being registered rather than all Rancher-managed estates at once.
Conditions required:
  • Injected YAML survives parsing and admission
  • The downstream cluster allows the injected resource types
Where this breaks in practice:
  • Pod Security, admission controllers, and policy engines can block some payload classes
  • Air-gapped registries and strict image allowlists can break payload execution
  • The attack does not automatically imply compromise of the Rancher management cluster itself
Detection/coverage: Admission controllers, EDR on worker nodes, Falco-style runtime tooling, and Kubernetes audit pipelines should see the follow-on object creation if defenders are watching.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public exploitation evidence found as of 2026-06-02. Not listed in CISA KEV.
Proof-of-concept availabilityNo public PoC or researcher write-up located in GitHub advisories, Rancher GitHub releases, or broad web search results.
EPSSNo public EPSS entry located for this CVE during review; treat predictive exploit data as unavailable rather than favorable.
KEV statusNo. CISA KEV catalog check during this assessment found no listing for CVE-2026-44939.
CVSS / CNA scoringNone published that I could verify. No authoritative vendor/CNA CVSS score or vector was located on SUSE pages, GitHub advisories, NVD, or MITRE during this review.
Affected versionsSupported affected branches are the versions before the fixed builds: 2.14.x < 2.14.2, 2.13.x < 2.13.6, 2.12.x < 2.12.10, 2.11.x < 2.11.14, 2.10.x < 2.10.12.
Fixed versionsRancher Manager v2.14.2, v2.13.6, v2.12.10, v2.11.14, and v2.10.12.
Exposure / scanning realityI found no product-specific GreyNoise/Shodan/Censys/FOFA telemetry tied to this CVE. Real exposure tracks whether your Rancher UI/API is reachable and whether teams are actively using imported/registered cluster workflows.
Disclosure date2026-05-27 on SUSE's security/CVE documentation and corresponding branch release notes.
Reporting creditNo public researcher credit found in the vendor documentation or publicly visible GitHub advisory pages reviewed.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (5.5/10)

The single biggest downward pressure is that exploitation appears to require riding a privileged cluster-import workflow, not just hitting an exposed edge service and winning. The biggest upward pressure is that, once triggered, the payload is applied to a downstream Kubernetes cluster through a path operators often run with cluster-admin-level authority.

MEDIUM Severity assessment without a vendor/CNA baseline
MEDIUM Exploit-chain inference from limited public technical detail
HIGH Affected/fixed version mapping from SUSE release documentation

Why this verdict

  • Requires a narrow attacker position: the attacker needs access to a live Rancher import/registration workflow, which usually implies prior compromise, insider access, or workflow-level social engineering.
  • User interaction is part of the kill chain: the manifest has to be fetched and applied with kubectl, so a privileged operator or automation run is the trigger rather than a one-packet remote exploit.
  • Impact is meaningful when it lands: YAML injection into an import manifest can translate into arbitrary Kubernetes object creation or manipulation in a high-value downstream cluster, often with elevated privileges.

Why not higher?

I do not see evidence of an unauthenticated, internet-wide exploit path, and I found no KEV listing, no public exploitation reporting, and no public PoC. The reachable population is narrower than generic Rancher exposure because this bug appears tied to a specific import-manifest workflow rather than the full management plane.

Why not lower?

This is not harmless parser weirdness. If the attacker can steer a victim into applying poisoned import YAML, the downstream cluster can be materially altered during a privileged admin operation, which is too much blast radius for LOW or IGNORE.

05 · Compensating Control

What to do — in priority order.

  1. Restrict access to Rancher import workflows — Limit who can create, view, and use cluster registration/import tokens and URLs; treat them like privileged enrollment secrets. For a MEDIUM verdict there is no mitigation SLA, so keep this as standing hardening and go straight to patching within the 365-day remediation window.
  2. Gate kubectl apply of import manifests through review — Make imported-cluster registration a platform-engineering-controlled change, not an ad hoc admin action. Require operators to review the fetched YAML or run it through a trusted wrapper before execution; for MEDIUM, there is no mitigation SLA, but this should remain in place until patched.
  3. Log and alert on /v3/import/*.yaml access — Add reverse-proxy, Rancher audit, and CI/CD telemetry around import-manifest generation and consumption so you can spot unexpected token use, malformed parameters, or unusual registration bursts. For MEDIUM, there is no mitigation SLA, but this is worthwhile control-plane telemetry to maintain long term.
  4. Harden downstream admission — Use Pod Security admission, Kyverno/Gatekeeper, image allowlists, and namespace/RBAC guardrails so a poisoned manifest has fewer useful payload options. This will not fix the bug, but it can collapse the most damaging post-apply outcomes while you work inside the 365-day remediation window.
What doesn't work
  • MFA on the Rancher UI alone does not solve this if the attacker already has a valid import token, a compromised automation context, or a victim operator running the generated command.
  • Generic perimeter IDS/WAF signatures are weak because the meaningful payload is hidden in a manifest-generation workflow over normal HTTPS and may only become obvious after kubectl apply.
  • Assuming the downstream cluster is safe because it is 'internal' is false comfort; the import command is explicitly run by trusted admins with high privileges, which is exactly why the impact matters.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation or a node with kubectl access to the management cluster where Rancher itself is installed. Invoke it as bash check-rancher-cve-2026-44939.sh cattle-system; it needs read access to the Rancher deployment/statefulset in that namespace and prints VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-rancher-cve-2026-44939.sh
# Detects whether a Rancher Manager installation is on a fixed version for CVE-2026-44939.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / unable to determine

set -euo pipefail

NS="${1:-cattle-system}"

need() {
  command -v "$1" >/dev/null 2>&1 || { echo "UNKNOWN: missing required command '$1'"; exit 2; }
}

need kubectl
need awk
need sed

get_image() {
  kubectl -n "$NS" get deploy rancher -o jsonpath='{.spec.template.spec.containers[0].image}' 2>/dev/null && return 0
  kubectl -n "$NS" get statefulset rancher -o jsonpath='{.spec.template.spec.containers[0].image}' 2>/dev/null && return 0
  return 1
}

normalize_ver() {
  # Strip registry/name, leading v, and any suffix after the numeric semver core.
  # Examples:
  #   rancher/rancher:v2.14.2 -> 2.14.2
  #   v2.13.6 -> 2.13.6
  #   2.12.10-rc1 -> 2.12.10
  local raw="$1"
  raw="${raw##*:}"
  raw="${raw#v}"
  echo "$raw" | sed -E 's/^([0-9]+\.[0-9]+\.[0-9]+).*/\1/'
}

ver_to_int() {
  local v="$1"
  IFS='.' read -r major minor patch <<< "$v"
  printf '%03d%03d%03d\n' "$major" "$minor" "$patch"
}

cmp_ge() {
  local a b
  a=$(ver_to_int "$1")
  b=$(ver_to_int "$2")
  [[ "$a" -ge "$b" ]]
}

cmp_lt() {
  local a b
  a=$(ver_to_int "$1")
  b=$(ver_to_int "$2")
  [[ "$a" -lt "$b" ]]
}

IMAGE="$(get_image || true)"
if [[ -z "$IMAGE" ]]; then
  echo "UNKNOWN: could not find Rancher deployment/statefulset in namespace '$NS'"
  exit 2
fi

VER="$(normalize_ver "$IMAGE")"
if [[ ! "$VER" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  echo "UNKNOWN: could not parse Rancher version from image '$IMAGE'"
  exit 2
fi

MAJOR_MINOR="$(echo "$VER" | awk -F. '{print $1"."$2}')"

case "$MAJOR_MINOR" in
  2.14)
    if cmp_ge "$VER" "2.14.2"; then
      echo "PATCHED: Rancher $VER (fixed in 2.14.2+)"
      exit 0
    else
      echo "VULNERABLE: Rancher $VER (affected 2.14.x < 2.14.2)"
      exit 1
    fi
    ;;
  2.13)
    if cmp_ge "$VER" "2.13.6"; then
      echo "PATCHED: Rancher $VER (fixed in 2.13.6+)"
      exit 0
    else
      echo "VULNERABLE: Rancher $VER (affected 2.13.x < 2.13.6)"
      exit 1
    fi
    ;;
  2.12)
    if cmp_ge "$VER" "2.12.10"; then
      echo "PATCHED: Rancher $VER (fixed in 2.12.10+)"
      exit 0
    else
      echo "VULNERABLE: Rancher $VER (affected 2.12.x < 2.12.10)"
      exit 1
    fi
    ;;
  2.11)
    if cmp_ge "$VER" "2.11.14"; then
      echo "PATCHED: Rancher $VER (fixed in 2.11.14+)"
      exit 0
    else
      echo "VULNERABLE: Rancher $VER (affected 2.11.x < 2.11.14)"
      exit 1
    fi
    ;;
  2.10)
    if cmp_ge "$VER" "2.10.12"; then
      echo "PATCHED: Rancher $VER (fixed in 2.10.12+)"
      exit 0
    else
      echo "VULNERABLE: Rancher $VER (affected 2.10.x < 2.10.12)"
      exit 1
    fi
    ;;
  *)
    echo "UNKNOWN: Rancher $VER is outside the publicly documented fixed branches for CVE-2026-44939"
    exit 2
    ;;
esac
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, pull a version inventory of every Rancher management cluster, identify anything on 2.14.x < 2.14.2, 2.13.x < 2.13.6, 2.12.x < 2.12.10, 2.11.x < 2.11.14, or 2.10.x < 2.10.12, and put imported/registered-cluster workflows under tighter operational control while you schedule upgrades. Because this is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; your noisgate remediation SLA is to apply the vendor-fixed Rancher version within 365 days, with faster handling for internet-facing management planes or teams that frequently onboard downstream clusters.

Sources

  1. SUSE Rancher Manager security advisories and CVEs
  2. SUSE Rancher Manager v2.14.2 release notes
  3. SUSE Rancher Manager v2.11.14 release notes
  4. Rancher documentation: Registering Existing Clusters
  5. Go package docs showing Rancher `auth-image` setting
  6. CISA Known Exploited Vulnerabilities Catalog
  7. FIRST EPSS project
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.