public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-30 00:25:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update CVE page w/ Rancher CVEs for May Release (#2332)

Browse Source 
* Update CVE page w/ Rancher CVEs for May Release

* Fix v2.11-zh CVE table

* Fix v2.10-zh CVE table

* Fix v2.10-zh CVE table pt2
This commit is contained in:
Lucas Saintarbor
2026-05-28 13:38:02 -07:00
committed by GitHub
parent 5ff3581630
commit 5d278c77a5
12 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/reference-guides/rancher-security/security-advisories-and-cves.md
+3
View File
@@ -10,6 +10,9 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-41053](https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh) | Fixed a security vulnerability in the GitHub App authentication provider where users incorrectly inherited permissions from all teams within their GitHub organization, rather than only the specific teams to which they belonged. Upon upgrading, Rancher automatically triggers a mandatory refresh of all affected user `principals` to remove these incorrectly assigned team memberships and restore proper access. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6) |
| [CVE-2026-41052](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) | Updated the permissions of the built-in `project-owner` role to no longer include the `updatepsa` verb. This prevents users with this role from bypassing restricted PSA policies or deploying privileged workloads within their projects. If your organization requires users to retain this capability, administrators must create a custom project role that explicitly grants the `updatepsa` verb for the project resource. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10) |
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/security-advisories-and-cves.md
+3
View File
@@ -10,6 +10,9 @@ Rancher 致力于向社区披露我们产品的安全问题。我们会针对已
| ID | 描述 | 日期 | 解决 |
|----|-------------|------|------------|
| [CVE-2026-41053](https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh) | Fixed a security vulnerability in the GitHub App authentication provider where users incorrectly inherited permissions from all teams within their GitHub organization, rather than only the specific teams to which they belonged. Upon upgrading, Rancher automatically triggers a mandatory refresh of all affected user `principals` to remove these incorrectly assigned team memberships and restore proper access. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6) |
| [CVE-2026-41052](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) | Updated the permissions of the built-in `project-owner` role to no longer include the `updatepsa` verb. This prevents users with this role from bypassing restricted PSA policies or deploying privileged workloads within their projects. If your organization requires users to retain this capability, administrators must create a custom project role that explicitly grants the `updatepsa` verb for the project resource. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10) |
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |
i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-security/security-advisories-and-cves.md
+1
View File
@@ -10,6 +10,7 @@ Rancher 致力于向社区披露我们产品的安全问题。我们会针对已
| ID | 描述 | 日期 | 解决 |
|----|-------------|------|------------|
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2024-58260](https://github.com/rancher/rancher/security/advisories/GHSA-q82v-h4rq-5c86) | Setting the username of one user as the same username of another user causes an error when either user attempts to log in. Therefore, a user with the `Manage Users` permission could potentially deny any user, including admins, from logging in. To prevent this, usernames have been made immutable once set, and it is not possible to update or create a user with a username that is already in use. | 25 Sep 2025 | Rancher [v2.12.2](https://github.com/rancher/rancher/releases/tag/v2.12.2), [v2.11.6](https://github.com/rancher/rancher/releases/tag/v2.11.6), [v2.10.10](https://github.com/rancher/rancher/releases/tag/v2.10.10), and [v2.9.12](https://github.com/rancher/rancher/releases/tag/v2.9.12) |
i18n/zh/docusaurus-plugin-content-docs/version-2.11/reference-guides/rancher-security/security-advisories-and-cves.md
+1
View File
@@ -10,6 +10,7 @@ Rancher 致力于向社区披露我们产品的安全问题。我们会针对已
| ID | 描述 | 日期 | 解决 |
|----|-------------|------|------------|
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |
i18n/zh/docusaurus-plugin-content-docs/version-2.12/reference-guides/rancher-security/security-advisories-and-cves.md
+2
View File
@@ -10,6 +10,8 @@ Rancher 致力于向社区披露我们产品的安全问题。我们会针对已
| ID | 描述 | 日期 | 解决 |
|----|-------------|------|------------|
| [CVE-2026-41052](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) | Updated the permissions of the built-in `project-owner` role to no longer include the `updatepsa` verb. This prevents users with this role from bypassing restricted PSA policies or deploying privileged workloads within their projects. If your organization requires users to retain this capability, administrators must create a custom project role that explicitly grants the `updatepsa` verb for the project resource. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10) |
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |
i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/security-advisories-and-cves.md
+3
View File
@@ -10,6 +10,9 @@ Rancher 致力于向社区披露我们产品的安全问题。我们会针对已
| ID | 描述 | 日期 | 解决 |
|----|-------------|------|------------|
| [CVE-2026-41053](https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh) | Fixed a security vulnerability in the GitHub App authentication provider where users incorrectly inherited permissions from all teams within their GitHub organization, rather than only the specific teams to which they belonged. Upon upgrading, Rancher automatically triggers a mandatory refresh of all affected user `principals` to remove these incorrectly assigned team memberships and restore proper access. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6) |
| [CVE-2026-41052](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) | Updated the permissions of the built-in `project-owner` role to no longer include the `updatepsa` verb. This prevents users with this role from bypassing restricted PSA policies or deploying privileged workloads within their projects. If your organization requires users to retain this capability, administrators must create a custom project role that explicitly grants the `updatepsa` verb for the project resource. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10) |
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |
i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/security-advisories-and-cves.md
+3
View File
@@ -10,6 +10,9 @@ Rancher 致力于向社区披露我们产品的安全问题。我们会针对已
| ID | 描述 | 日期 | 解决 |
|----|-------------|------|------------|
| [CVE-2026-41053](https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh) | Fixed a security vulnerability in the GitHub App authentication provider where users incorrectly inherited permissions from all teams within their GitHub organization, rather than only the specific teams to which they belonged. Upon upgrading, Rancher automatically triggers a mandatory refresh of all affected user `principals` to remove these incorrectly assigned team memberships and restore proper access. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6) |
| [CVE-2026-41052](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) | Updated the permissions of the built-in `project-owner` role to no longer include the `updatepsa` verb. This prevents users with this role from bypassing restricted PSA policies or deploying privileged workloads within their projects. If your organization requires users to retain this capability, administrators must create a custom project role that explicitly grants the `updatepsa` verb for the project resource. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10) |
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |
versioned_docs/version-2.10/reference-guides/rancher-security/security-advisories-and-cves.md
+1
View File
@@ -10,6 +10,7 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2024-58260](https://github.com/rancher/rancher/security/advisories/GHSA-q82v-h4rq-5c86) | Setting the username of one user as the same username of another user causes an error when either user attempts to log in. Therefore, a user with the `Manage Users` permission could potentially deny any user, including admins, from logging in. To prevent this, usernames have been made immutable once set, and it is not possible to update or create a user with a username that is already in use. | 25 Sep 2025 | Rancher [v2.12.2](https://github.com/rancher/rancher/releases/tag/v2.12.2), [v2.11.6](https://github.com/rancher/rancher/releases/tag/v2.11.6), [v2.10.10](https://github.com/rancher/rancher/releases/tag/v2.10.10), and [v2.9.12](https://github.com/rancher/rancher/releases/tag/v2.9.12) |
versioned_docs/version-2.11/reference-guides/rancher-security/security-advisories-and-cves.md
+1
View File
@@ -10,6 +10,7 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
versioned_docs/version-2.12/reference-guides/rancher-security/security-advisories-and-cves.md
+2
View File
@@ -10,6 +10,8 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-41052](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) | Updated the permissions of the built-in `project-owner` role to no longer include the `updatepsa` verb. This prevents users with this role from bypassing restricted PSA policies or deploying privileged workloads within their projects. If your organization requires users to retain this capability, administrators must create a custom project role that explicitly grants the `updatepsa` verb for the project resource. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10) |
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
versioned_docs/version-2.13/reference-guides/rancher-security/security-advisories-and-cves.md
+3
View File
@@ -10,6 +10,9 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-41053](https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh) | Fixed a security vulnerability in the GitHub App authentication provider where users incorrectly inherited permissions from all teams within their GitHub organization, rather than only the specific teams to which they belonged. Upon upgrading, Rancher automatically triggers a mandatory refresh of all affected user `principals` to remove these incorrectly assigned team memberships and restore proper access. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6) |
| [CVE-2026-41052](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) | Updated the permissions of the built-in `project-owner` role to no longer include the `updatepsa` verb. This prevents users with this role from bypassing restricted PSA policies or deploying privileged workloads within their projects. If your organization requires users to retain this capability, administrators must create a custom project role that explicitly grants the `updatepsa` verb for the project resource. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10) |
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
versioned_docs/version-2.14/reference-guides/rancher-security/security-advisories-and-cves.md
+3
View File
@@ -10,6 +10,9 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-41053](https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh) | Fixed a security vulnerability in the GitHub App authentication provider where users incorrectly inherited permissions from all teams within their GitHub organization, rather than only the specific teams to which they belonged. Upon upgrading, Rancher automatically triggers a mandatory refresh of all affected user `principals` to remove these incorrectly assigned team memberships and restore proper access. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6) |
| [CVE-2026-41052](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) | Updated the permissions of the built-in `project-owner` role to no longer include the `updatepsa` verb. This prevents users with this role from bypassing restricted PSA policies or deploying privileged workloads within their projects. If your organization requires users to retain this capability, administrators must create a custom project role that explicitly grants the `updatepsa` verb for the project resource. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10) |
| [CVE-2026-44939](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) | Rancher now validates the `authImage` parameter in cluster import manifests to prevent YAML injection attacks. | 27 May 2026 | Rancher [v2.14.2](https://github.com/rancher/rancher/releases/tag/v2.14.2), Rancher [v2.13.6](https://github.com/rancher/rancher/releases/tag/v2.13.6), [v2.12.10](https://github.com/rancher/rancher/releases/tag/v2.12.10), [v2.11.14](https://github.com/rancher/rancher/releases/tag/v2.11.14), and [v2.10.12](https://github.com/rancher/rancher/releases/tag/v2.10.12) |
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |