CVE-2026-41053 | Incorrect authentication caching in the team member ship exp… | CVSS 8.8 HIGH

Description

Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2.

Metadata

CVE ID: CVE-2026-41053
State: PUBLISHED
Assigner: suse
Reserved: 2026-04-16 13:37 UTC
Published: 2026-06-30 11:38 UTC
Last updated: 2026-06-30 12:09 UTC
Primary CWE: CWE-303
CWE-303 Incorrect implementation of authentication algorithm
Vendor / Product: SUSE / Rancher
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
SUSE	Rancher	—	2.14.0 < 2.14.2, 2.13.0 < 2.13.6

Weakness (CWE)

CWE	Source	Description
CWE-303	cna	CWE-303 Incorrect implementation of authentication algorithm

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.8	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh