Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44946

CVE-2026-44946: SUSE Rancher Auth Bypass Vulnerability

CVE-2026-44946 is a SAML authentication replay flaw in SUSE Rancher that allows authentication bypass through man-in-the-middle attacks. This article covers the technical details, affected versions, and remediation.

Published:

CVE-2026-44946 Overview

CVE-2026-44946 is a SAML authentication replay vulnerability in SUSE Rancher's Assertion Consumer Service (ACS) handler. The handler fails to enforce one-time use of SAML assertions, allowing an adversary in a person-in-the-middle position to replay a captured assertion and authenticate as the victim. The flaw is categorized under [CWE-294] Authentication Bypass by Capture-Replay and affects Rancher 2.x releases prior to the fixed versions. Successful exploitation grants access to the Rancher management plane, which orchestrates Kubernetes clusters and workloads. SUSE published the fix in security advisory GHSA-c5jm-xcmq-9j95.

Critical Impact

An attacker replaying a captured SAML assertion can authenticate to Rancher as the targeted user, gaining control over managed Kubernetes clusters and downstream workloads.

Affected Products

  • SUSE Rancher 2.14.0 before 2.14.3
  • SUSE Rancher deployments using SAML-based authentication providers
  • Downstream Kubernetes clusters managed by affected Rancher instances

Discovery Timeline

  • 2026-06-30 - CVE-2026-44946 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-44946

Vulnerability Analysis

Rancher supports federated authentication through Security Assertion Markup Language (SAML) providers such as ADFS, Okta, and Keycloak. The Assertion Consumer Service (ACS) handler receives signed SAML responses from the identity provider and establishes an authenticated session. The ACS handler in affected releases does not track assertion identifiers or enforce the OneTimeUse condition specified by the SAML 2.0 core specification. As a result, an assertion that has already been consumed can be resubmitted and accepted as valid. An attacker positioned between the browser and Rancher, or one who otherwise obtains a valid assertion, can replay it to impersonate the legitimate user.

Root Cause

The root cause is missing state tracking for consumed SAML assertions inside Rancher's ACS handler. The handler validates the assertion signature and lifetime window but does not persist assertion IDs or invalidate them after first use. SAML assertions typically remain within their NotOnOrAfter window for several minutes, giving an attacker a usable replay window.

Attack Vector

Exploitation requires the attacker to obtain a valid SAML assertion, typically through a person-in-the-middle position on the network path between the identity provider, the user's browser, and the Rancher server. The attacker captures the assertion POSTed to the ACS endpoint, then replays the same assertion to /v1-saml/*/saml/acs before the assertion expires. Because the handler accepts the replayed assertion, Rancher issues an authenticated session bound to the victim's identity and role bindings. No user interaction and no credentials are required by the attacker once the assertion has been captured. Refer to the Rancher GitHub Security Advisory GHSA-c5jm-xcmq-9j95 for vendor-supplied technical detail.

Detection Methods for CVE-2026-44946

Indicators of Compromise

  • Duplicate SAML assertion IDs (ID attribute) submitted to the Rancher ACS endpoint within a short time window.
  • Multiple successful authentications for the same user from different source IP addresses in Rancher audit logs.
  • SAML Response POST requests to /v1-saml/*/saml/acs originating from unexpected user-agents or proxies.
  • Rancher session creation events without a corresponding fresh identity provider redirect flow.

Detection Strategies

  • Enable Rancher audit logging at the request body level and alert on repeated SAML assertion identifiers.
  • Correlate identity provider logs with Rancher authentication events to detect assertions consumed more than once.
  • Inspect reverse proxy or ingress logs for repeated POST requests carrying identical SAMLResponse parameter values.
  • Baseline normal geographic and network origins for each Rancher user and alert on deviations.

Monitoring Recommendations

  • Forward Rancher API server and audit logs to a centralized SIEM for retention and correlation.
  • Monitor Kubernetes RoleBinding and ClusterRoleBinding changes performed shortly after SAML logins.
  • Track creation of new kubeconfig tokens and service accounts following authentication events.
  • Alert on privileged actions such as cluster template modifications or impersonate verb use.

How to Mitigate CVE-2026-44946

Immediate Actions Required

  • Upgrade Rancher 2.14.x deployments to version 2.14.3 or later as specified in the vendor advisory.
  • Rotate all Rancher API tokens and kubeconfig credentials issued during the exposure window.
  • Force reauthentication of all SAML-authenticated users after upgrading.
  • Review Rancher audit logs for signs of replayed assertions and unauthorized cluster changes.

Patch Information

SUSE addressed the vulnerability in Rancher 2.14.3. Details are published in the Rancher GitHub Security Advisory GHSA-c5jm-xcmq-9j95. Administrators should apply the vendor-supplied release, restart Rancher server pods, and validate that SAML login flows continue to function against their configured identity providers.

Workarounds

  • Enforce TLS with strict certificate validation between users, identity providers, and Rancher to reduce person-in-the-middle exposure.
  • Shorten SAML assertion validity windows at the identity provider to minimize the replay window.
  • Restrict access to the Rancher management interface to trusted networks or VPN endpoints until patching is complete.
  • Where possible, temporarily switch high-privilege administrators to a non-SAML authentication provider until the upgrade is applied.
bash
# Verify installed Rancher version and upgrade via Helm
kubectl -n cattle-system get deployment rancher -o jsonpath='{.spec.template.spec.containers[0].image}'

helm repo update
helm upgrade rancher rancher-stable/rancher \
  --namespace cattle-system \
  --version 2.14.3

# Confirm rollout and force SAML users to re-authenticate
kubectl -n cattle-system rollout status deploy/rancher
kubectl -n cattle-system delete secret -l cattle.io/creator=norman,authn.management.cattle.io/token-userId

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.