HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-44939Published Modified CNA suse

CVE-2026-44939: Command injection through unsanitized YAML parameter in Rancher

A command injection vulnerability in the Rancher Manager cluster before 2.14.2 import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters could allow remote attackers to break out of an image, and execute e.g. malicious containers.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
2.10.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A command injection vulnerability in Rancher Manager allows an unauthenticated remote attacker to exploit the cluster import endpoint (/v3/import/{token}_{clusterId}.yaml) by supplying unsanitized YAML parameters. The attacker must trigger a victim to interact with a crafted request, but no credentials are required. Successful exploitation enables container breakout and arbitrary command execution on the host, with full compromise of both the affected system and connected systems. Patched-image rebuilds at versions 2.10.12, 2.11.14, 2.12.10, 2.13.6, and 2.14.2 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-44939 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, covering both standard Rancher images and custom-built images that bundle Rancher Manager components. Any image resolving to an affected Rancher version range is flagged automatically in the customer's registry and CI pipeline scans.

Available
Triage

HarborGuard scores this CVE at CVSS 9.4 (Critical) and weights findings against each customer org's compliance policy to determine urgency and routing. Triage results are delivered to the inbox or ticketing integration configured for the relevant team within each customer environment.

Available
Patch

A patched-image rebuild at the applicable fix version (2.10.12, 2.11.14, 2.12.10, 2.13.6, or 2.14.2 depending on the branch in use) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable import endpoint is exposed over the network, so the attacker must be able to reach the Rancher Manager service via HTTP/HTTPS.

  • AuthenticationNot required

    The import endpoint accepts requests without any credential or session token, so no account is needed to send a malicious payload.

  • Victim interactionRequired

    Exploitation requires a victim (such as a cluster operator) to interact with or trigger processing of the attacker-supplied YAML, introducing a social-engineering step.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and requires no race conditions, special memory layout, or environmental prerequisites beyond reaching the endpoint.

Blast Radius

  • Attacker executes arbitrary commands inside the Rancher container and breaks out to the underlying host.
  • Full read access to secrets, credentials, and configuration stored in the Rancher environment, including kubeconfig files and cluster tokens.
  • Attacker can write to or modify cluster state, deploy malicious containers, and alter workloads across managed clusters.
  • Connected downstream clusters inherit the compromise because Rancher's management plane can propagate attacker-controlled configurations to them.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44939 runs within minutes of CVE publication and covers all images resolving to an affected Rancher Manager version across registered registries and build pipelines. For environments running an affected branch, a patched-image rebuild targeting the appropriate fix version (2.10.12, 2.11.14, 2.12.10, 2.13.6, or 2.14.2) is available. Where compliance policy permits, customers with auto-remediation enabled receive the rebuilt image, a regression-test run, and a PR opened against affected workloads; for Critical-severity issues the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. For customers who have not enabled auto-remediation, HarborGuard surfaces the finding with the applicable fix version in the triage dashboard so the upgrade can be prioritized manually. Until the patched image is deployed, consider applying network policy to restrict access to the Rancher import endpoint to trusted source IPs, and audit cluster import tokens for unexpected usage.

See how HarborGuard automates this

Fix available

2.10.122.11.142.12.102.13.62.14.2
Affected packages
  • SUSE / Rancher
    < 2.14.2 (from 2.14.0) · < 2.13.6 (from 2.13.0) · < 2.12.10 (from 2.12.0) · < 2.11.14 (from 2.11.0) · < 2.10.12 (from 2.10.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References