CVE-2026-44949 | A Rancher FleetWorkspace admission path allowed side effects… | CVSS 7.0 HIGH

Description

A Rancher FleetWorkspace admission path allowed side effects to occur in the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to the in-cluster rancher-webhook service could submit a crafted admission payload and cause workspace-related Kubernetes objects to be created with attacker-chosen identity data.

Metadata

CVE ID: CVE-2026-44949
State: PUBLISHED
Assigner: suse
Reserved: 2026-05-08 12:29 UTC
Published: 2026-06-30 14:41 UTC
Last updated: 2026-06-30 15:10 UTC
Primary CWE: CWE-306
CWE-306 Missing authentication for critical function
Vendor / Product: SUSE / Rancher
Sources: cve.org · NVD

Severity & Metrics

7.0 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
SUSE	Rancher	—	0.7.0 < 0.7.10, 0.8.0 < 0.8.7, 0.9.0 < 0.9.6, 0.10.0 < 0.10.7

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	CWE-306 Missing authentication for critical function

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.0	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

References (1)

https://github.com/rancher/webhook/security/advisories/GHSA-h83p-cq95-vph4