GHSA-5V3H-X4WF-5C35

Vulnerability from github – Published: 2026-05-07 01:23 – Updated: 2026-05-14 20:31
VLAI?
Summary
Rancher Extensions have arbitrary file access via path traversal
Details

Impact

A vulnerability has been identified in Rancher's Extensions where malicious code can be injected in Rancher through a path traversal in the compressedEndpoint field inside a UIPlugin deployment. A malicious UI extension could abuse that to:

  • Overwrite Rancher binaries or configuration to inject code.
  • Write to /var/lib/rancher/ to tamper with cluster state.
  • If hostPath volumes are mounted, write to the host node filesystem.
  • Use this issue to chain with other attack vectors.

By default only the administrator can deploy UI extensions, unless permissions are granted to other users. It's always recommended to only install extensions that come from sources trusted by the user.

Please consult the associated MITRE CAPEC-126 - Technique - Path Traversal for further information about this category of attack.

Patches

This vulnerability is addressed by ensuring that:

  • The file defined by the UI Plugin CR's compressedEndpoint has to be created inside the cache directory and cannot contain ../. If that is not possible, the installation will fail and the file won't be created.
  • The icons referenced by Cluster Repos' index.yaml file always resolves to a file inside the repository directory.

Patched versions of Rancher include releases v2.14.1, v2.13.5, v2.12.9, v2.11.13.

Workarounds

There is no workaround. The user must be careful about which UI Plugins they install.

Resources

If there are any questions or comments about this advisory:

Severity ?
8.4 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.14.0"
            },
            {
              "fixed": "2.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13.0"
            },
            {
              "fixed": "2.13.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.0"
            },
            {
              "fixed": "2.12.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.11"
            },
            {
              "fixed": "2.11.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T01:23:59Z",
    "nvd_published_at": "2026-05-13T08:16:16Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA vulnerability has been identified in [Rancher\u0027s Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to:\n\n- Overwrite Rancher binaries or configuration to inject code.\n- Write to `/var/lib/rancher/` to tamper with cluster state.\n- If `hostPath` volumes are mounted, write to the host node filesystem.\n- Use this issue to chain with other attack vectors.\n\nBy default only the administrator can deploy UI extensions, unless permissions are granted to other users. It\u0027s always recommended to only install extensions that come from sources trusted by the user.\n\nPlease consult the associated  [MITRE CAPEC-126 - Technique - Path Traversal](https://capec.mitre.org/data/definitions/126.html) for further information about this category of attack.\n\n### Patches\n\nThis vulnerability is addressed by ensuring that:\n\n- The file defined by the UI Plugin CR\u0027s `compressedEndpoint` has to be created inside the cache directory and cannot contain `../`. If that is not possible, the installation will fail and the file won\u0027t be created. \n- The icons referenced by Cluster Repos\u0027 `index.yaml` file always resolves to a file inside the repository directory.\n\nPatched versions of Rancher include releases v2.14.1, v2.13.5, v2.12.9, v2.11.13.\n\n### Workarounds\n\nThere is no workaround. The user must be careful about which UI Plugins they install.\n\n### Resources\n\nIf there are any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with the [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
  "id": "GHSA-5v3h-x4wf-5c35",
  "modified": "2026-05-14T20:31:20Z",
  "published": "2026-05-07T01:23:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25705"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25705"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rancher"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rancher Extensions have arbitrary file access via path traversal"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.