Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN471
_____________________________________________________________________

DATE                : 07/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Rancher (Go) versions prior to
                           2.14.1, 2.13.5, 2.12.9, 2.11.13.

=====================================================================
https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35
_____________________________________________________________________

Arbitrary file access via path traversal in Rancher Extensions
High
samjustus published GHSA-5v3h-x4wf-5c35 Apr 30, 2026

Package
github.com/rancher/rancher (Go)

Affected versions
>=2.14.0,<2.14.1
>=2.13.0,<2.13.5
>=2.12.0,<2.12.9
>=2.11.0,<2.11.13
>=v2.10.11

Patched versions
2.14.1
2.13.5
2.12.9
2.11.13


Description

Impact

A vulnerability has been identified in Rancher's Extensions where
malicious code can be injected in Rancher through a path traversal
in the compressedEndpoint field inside a UIPlugin deployment. A
malicious UI extension could abuse that to:

    Overwrite Rancher binaries or configuration to inject code.
    Write to /var/lib/rancher/ to tamper with cluster state.
    If hostPath volumes are mounted, write to the host node filesystem.
    Use this issue to chain with other attack vectors.

By default only the administrator can deploy UI extensions, unless
permissions are granted to other users. It's always recommended to
only install extensions that come from sources trusted by the user.

Please consult the associated MITRE CAPEC-126 - Technique - Path
Traversal for further information about this category of attack.


Patches

This vulnerability is addressed by ensuring that:

    The file defined by the UI Plugin CR's compressedEndpoint has
to be created inside the cache directory and cannot contain ../. If
that is not possible, the installation will fail and the file
won't be created.

    The icons referenced by Cluster Repos' index.yaml file always
resolves to a file inside the repository directory.

Patched versions of Rancher include releases v2.14.1, v2.13.5,
v2.12.9, v2.11.13.


Workarounds

There is no workaround. The user must be careful about which
UI Plugins they install.


References

If you have any questions or comments about this advisory:

    Reach out to the SUSE Rancher Security team for security
related inquiries.
    Open an issue in the Rancher repository.
    Verify with our support matrix and product support lifecycle.


Severity
High
8.4/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE ID
CVE-2026-25705

Weaknesses
Weakness CWE-35

Credits

    @KoreaSecurity KoreaSecurity Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================