CVE-2026-44946 Overview
CVE-2026-44946 is a SAML authentication replay vulnerability in SUSE Rancher's Assertion Consumer Service (ACS) handler. The handler fails to enforce one-time use of SAML assertions, allowing an adversary in a person-in-the-middle position to replay a captured assertion and authenticate as the victim. The flaw is categorized under [CWE-294] Authentication Bypass by Capture-Replay and affects Rancher 2.x releases prior to the fixed versions. Successful exploitation grants access to the Rancher management plane, which orchestrates Kubernetes clusters and workloads. SUSE published the fix in security advisory GHSA-c5jm-xcmq-9j95.
Critical Impact
An attacker replaying a captured SAML assertion can authenticate to Rancher as the targeted user, gaining control over managed Kubernetes clusters and downstream workloads.
Affected Products
- SUSE Rancher 2.14.0 before 2.14.3
- SUSE Rancher deployments using SAML-based authentication providers
- Downstream Kubernetes clusters managed by affected Rancher instances
Discovery Timeline
- 2026-06-30 - CVE-2026-44946 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-44946
Vulnerability Analysis
Rancher supports federated authentication through Security Assertion Markup Language (SAML) providers such as ADFS, Okta, and Keycloak. The Assertion Consumer Service (ACS) handler receives signed SAML responses from the identity provider and establishes an authenticated session. The ACS handler in affected releases does not track assertion identifiers or enforce the OneTimeUse condition specified by the SAML 2.0 core specification. As a result, an assertion that has already been consumed can be resubmitted and accepted as valid. An attacker positioned between the browser and Rancher, or one who otherwise obtains a valid assertion, can replay it to impersonate the legitimate user.
Root Cause
The root cause is missing state tracking for consumed SAML assertions inside Rancher's ACS handler. The handler validates the assertion signature and lifetime window but does not persist assertion IDs or invalidate them after first use. SAML assertions typically remain within their NotOnOrAfter window for several minutes, giving an attacker a usable replay window.
Attack Vector
Exploitation requires the attacker to obtain a valid SAML assertion, typically through a person-in-the-middle position on the network path between the identity provider, the user's browser, and the Rancher server. The attacker captures the assertion POSTed to the ACS endpoint, then replays the same assertion to /v1-saml/*/saml/acs before the assertion expires. Because the handler accepts the replayed assertion, Rancher issues an authenticated session bound to the victim's identity and role bindings. No user interaction and no credentials are required by the attacker once the assertion has been captured. Refer to the Rancher GitHub Security Advisory GHSA-c5jm-xcmq-9j95 for vendor-supplied technical detail.
Detection Methods for CVE-2026-44946
Indicators of Compromise
- Duplicate SAML assertion IDs (ID attribute) submitted to the Rancher ACS endpoint within a short time window.
- Multiple successful authentications for the same user from different source IP addresses in Rancher audit logs.
- SAML Response POST requests to /v1-saml/*/saml/acs originating from unexpected user-agents or proxies.
- Rancher session creation events without a corresponding fresh identity provider redirect flow.
Detection Strategies
- Enable Rancher audit logging at the request body level and alert on repeated SAML assertion identifiers.
- Correlate identity provider logs with Rancher authentication events to detect assertions consumed more than once.
- Inspect reverse proxy or ingress logs for repeated POST requests carrying identical SAMLResponse parameter values.
- Baseline normal geographic and network origins for each Rancher user and alert on deviations.
Monitoring Recommendations
- Forward Rancher API server and audit logs to a centralized SIEM for retention and correlation.
- Monitor Kubernetes RoleBinding and ClusterRoleBinding changes performed shortly after SAML logins.
- Track creation of new kubeconfig tokens and service accounts following authentication events.
- Alert on privileged actions such as cluster template modifications or impersonate verb use.
How to Mitigate CVE-2026-44946
Immediate Actions Required
- Upgrade Rancher 2.14.x deployments to version 2.14.3 or later as specified in the vendor advisory.
- Rotate all Rancher API tokens and kubeconfig credentials issued during the exposure window.
- Force reauthentication of all SAML-authenticated users after upgrading.
- Review Rancher audit logs for signs of replayed assertions and unauthorized cluster changes.
Patch Information
SUSE addressed the vulnerability in Rancher 2.14.3. Details are published in the Rancher GitHub Security Advisory GHSA-c5jm-xcmq-9j95. Administrators should apply the vendor-supplied release, restart Rancher server pods, and validate that SAML login flows continue to function against their configured identity providers.
Workarounds
- Enforce TLS with strict certificate validation between users, identity providers, and Rancher to reduce person-in-the-middle exposure.
- Shorten SAML assertion validity windows at the identity provider to minimize the replay window.
- Restrict access to the Rancher management interface to trusted networks or VPN endpoints until patching is complete.
- Where possible, temporarily switch high-privilege administrators to a non-SAML authentication provider until the upgrade is applied.
# Verify installed Rancher version and upgrade via Helm
kubectl -n cattle-system get deployment rancher -o jsonpath='{.spec.template.spec.containers[0].image}'
helm repo update
helm upgrade rancher rancher-stable/rancher \
--namespace cattle-system \
--version 2.14.3
# Confirm rollout and force SAML users to re-authenticate
kubectl -n cattle-system rollout status deploy/rancher
kubectl -n cattle-system delete secret -l cattle.io/creator=norman,authn.management.cattle.io/token-userId
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

