How is CVE-2026-41052 exploited?

Network reachability (required): The attacker must reach the Rancher API or UI over the network; the service must be exposed to the attacker's network path. Authentication (required): The attacker must hold an existing Project Owner account within Rancher; any account with that role is sufficient. Victim interaction (not-required): No user interaction is needed; the attacker can trigger the privilege escalation entirely through their own requests. Attack complexity (info): The exploit is reliable and condition-free with no race conditions or special environmental factors required.

What is the impact of CVE-2026-41052?

Attacker gains host-level access, reading sensitive data stored on the underlying host including secrets, credentials, and kubeconfig files. Attacker can write to or modify host-level resources, altering Rancher configuration, workloads, or cluster state across managed downstream clusters. Attacker can disrupt availability of the Rancher management plane and the downstream clusters it controls. Compromise extends to systems and clusters that depend on the affected Rancher instance, including any downstream Kubernetes environments under its management.

Back to search

CRITICALCVE-2026-41052Published 2026-06-29Modified 2026-06-29CNA suse

CVE-2026-41052: Rancher Privilege Escalation from Project Owner to Host

Improper privilege handling could be used by users with Project Owner role to escalate privileges, in Rancher versions 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: 2.12.10
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability exists in SUSE Rancher versions 2.12.x before 2.12.10, 2.13.x before 2.13.6, and 2.14.x before 2.14.2. The flaw is reachable over the network and requires a high-privilege (Project Owner) account, meaning an attacker must already hold that role within a Rancher project. Successful exploitation allows the attacker to escalate beyond their assigned Project Owner boundary to gain control at the host level, enabling full read, write, and availability impact across both the affected Rancher instance and dependent systems. Patched-image rebuilds at versions 2.12.10, 2.13.6, and 2.14.2 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. CVE-2026-41052 is ingested from upstream advisory feeds within minutes of publication and matched against Rancher images in customer registries and CI/CD pipelines, including custom-built images that bundle Rancher components.

Available

Triage

HarborGuard scores this CVE at CVSS 9.4 Critical and weights it against each environment's compliance policy to determine urgency and routing. Triage results are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at the applicable fix version (2.12.10, 2.13.6, or 2.14.2) becomes available on HarborGuard once the upstream image is published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Rancher API or UI over the network; the service must be exposed to the attacker's network path.
AuthenticationRequired
The attacker must hold an existing Project Owner account within Rancher; any account with that role is sufficient.
Victim interactionNot required
No user interaction is needed; the attacker can trigger the privilege escalation entirely through their own requests.
Attack complexityDetail
The exploit is reliable and condition-free with no race conditions or special environmental factors required.

Blast Radius

Attacker gains host-level access, reading sensitive data stored on the underlying host including secrets, credentials, and kubeconfig files.
Attacker can write to or modify host-level resources, altering Rancher configuration, workloads, or cluster state across managed downstream clusters.
Attacker can disrupt availability of the Rancher management plane and the downstream clusters it controls.
Compromise extends to systems and clusters that depend on the affected Rancher instance, including any downstream Kubernetes environments under its management.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-41052 is matched against images in customer registries and pipelines within minutes of publication. Because this is a Critical-severity issue, environments with auto-remediation enabled are eligible for a rebuild at the appropriate fix version (2.12.10, 2.13.6, or 2.14.2), followed by a regression-test run and a pull request opened against affected workloads. Median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS context and fix-version details to the configured team inbox. As an interim compensating control, consider restricting network access to the Rancher management UI and API to trusted internal networks only, and auditing current Project Owner role assignments to limit exposure to accounts that genuinely require that privilege level.

See how HarborGuard automates this

Fix available

2.12.102.13.62.14.2

Affected packages

SUSE / Rancher
< 2.12.10 (from 2.12.0) · < 2.13.6 (from 2.13.0) · < 2.14.2 (from 2.14.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

github.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available