HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-44946Published Modified CNA suse

CVE-2026-44946: SAML Authentication Replay in Rancher

A SAML authentication replay vulnerability in Rancher's Assertion Consumer Service (ACS) handler did not enforce one-time use of SAML assertion, potentially allowing person in the middle attacks against Rancher, affecting Rancher 2.14.0 before 2.14.3,

Metrics

CVSS v4.0
9.5
Severity
CRITICAL
Fixed in
2.11.15
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A SAML authentication replay vulnerability affects Rancher's Assertion Consumer Service (ACS) handler, which processes login assertions from identity providers. The flaw is reachable over the network without any authentication, though exploiting it requires a person-in-the-middle position and specific preconditions (CVSS AC:H, AT:P). A successful attacker can replay a captured SAML assertion to authenticate as the targeted user, gaining full access to Rancher with that user's privileges and potentially affecting downstream systems Rancher manages. Patched-image rebuilds at versions 2.11.15, 2.12.11, 2.13.7, and 2.14.3 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Rancher-based images, in both registry scans and CI/CD pipeline checks. Any image running a Rancher version in the affected ranges (2.11.0-2.11.14, 2.12.0-2.12.10, 2.13.0-2.13.6, 2.14.0-2.14.2) is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.5 Critical and weighting it against each customer organization's compliance policy to determine urgency tier and routing. Triage tickets are routable to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting the applicable fix version (2.11.15, 2.12.11, 2.13.7, or 2.14.3, depending on the branch in use) becomes available in HarborGuard as soon as the upstream release is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The Rancher ACS endpoint is exposed over the network, so an attacker must be able to reach it and intercept traffic between the identity provider and Rancher.

  • AuthenticationNot required

    No credentials are required to submit a replayed SAML assertion to the ACS handler; the vulnerability lies in the handler accepting the assertion without verifying one-time use.

  • Victim interactionNot required

    The attacker replays a previously captured assertion without requiring any action from the legitimate user at the time of the attack.

  • Attack complexityDetail

    Exploitation requires a person-in-the-middle position and specific preconditions (AT:P) to capture a valid SAML assertion, making reliable exploitation dependent on environmental factors rather than a simple, condition-free technique.

Blast Radius

  • Attacker authenticates to Rancher as the user whose SAML assertion was captured, reading any data that user can access including cluster configurations, secrets, and workload definitions.
  • Attacker can create, modify, or delete Kubernetes workloads and cluster resources within the scope of the replayed user's role.
  • Downstream systems and clusters managed by Rancher are reachable from the attacker's session, expanding the scope of tampering and credential theft beyond the Rancher management plane itself.
  • Scope impact is high on both the vulnerable system and downstream systems (SC:H, SI:H, SA:H), meaning a compromised Rancher admin session exposes every managed cluster to disruption or reconfiguration.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44946 is active across all scan environments, with affected Rancher images flagged at Critical severity. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the appropriate fix version, run regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the configured owner inbox with CVSS scoring and affected version details attached. Customers not yet on a fixed branch (2.11.15, 2.12.11, 2.13.7, or 2.14.3) should consider network-policy controls that restrict which hosts can reach the Rancher ACS endpoint as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

2.11.152.12.112.13.72.14.3
Affected packages
  • SUSE / Rancher
    < 2.14.3 (from 2.14.0) · < 2.13.7 (from 2.13.0) · < 2.12.11 (from 2.12.0) · < 2.11.15 (from 2.11.0)
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H
References