CVE-2026-41052 | Improper privilege handling could be used by users with Proj… | CVSS 9.4 CRITICAL

Description

Improper privilege handling could be used by users with Project Owner role to escalate privileges, in Rancher versions 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10.

Metadata

CVE ID: CVE-2026-41052
State: PUBLISHED
Assigner: suse
Reserved: 2026-04-16 13:37 UTC
Published: 2026-06-29 15:41 UTC
Last updated: 2026-06-29 16:22 UTC
Primary CWE: CWE-305
CWE-305 Authentication bypass by primary weakness
Vendor / Product: SUSE / Rancher
Sources: cve.org · NVD

Severity & Metrics

9.4 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
SUSE	Rancher	—	2.12.0 < 2.12.10, 2.13.0 < 2.13.6, 2.14.0 < 2.14.2

Weakness (CWE)

CWE	Source	Description
CWE-305	cna	CWE-305 Authentication bypass by primary weakness

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.4	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (1)

https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744