CVE-2026-44946 in Rancherinfo

Summary

by MITRE • 06/30/2026

A SAML authentication replay vulnerability in Rancher's Assertion Consumer Service (ACS) handler did not enforce one-time use of SAML assertion, potentially allowing person in the middle attacks against Rancher, affecting Rancher 2.14.0 before 2.14.3,

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/30/2026

The vulnerability under examination represents a critical SAML authentication replay flaw within Rancher's Assertion Consumer Service (ACS) handler that fundamentally undermines the security guarantees of single sign-on implementations. This weakness stems from the improper enforcement of one-time use policies for SAML assertions, creating an exploitable condition where malicious actors can capture valid authentication tokens and reuse them to gain unauthorized access to Rancher environments. The vulnerability specifically affects Rancher versions 2.14.0 through 2.14.2, with the issue being resolved in version 2.14.3 through proper implementation of SAML assertion validation mechanisms.

The technical flaw manifests as a failure in the ACS handler's validation logic to properly track and enforce the reuse prohibition of SAML assertions, which directly violates fundamental security principles outlined in CWE-310. This weakness creates a persistent authentication bypass vector where captured assertions can be replayed against the target system, effectively allowing attackers to impersonate legitimate users without requiring knowledge of their credentials. The vulnerability operates at the authentication layer and represents a classic example of a session management flaw that enables unauthorized access through manipulation of authentication tokens.

From an operational impact perspective, this vulnerability creates significant risk for organizations relying on Rancher for container orchestration and management. An attacker positioned in a man-in-the-middle position can capture SAML assertions during transmission and subsequently reuse them to gain administrative access to Rancher clusters, potentially leading to complete compromise of containerized applications and infrastructure. The attack vector aligns with ATT&CK technique T1566 which involves credential harvesting through phishing or network interception, while also demonstrating a weakness in identity federation protocols that could enable lateral movement within compromised environments.

The security implications extend beyond simple unauthorized access as the vulnerability undermines the trust model inherent in SAML-based authentication systems. Organizations deploying Rancher with SAML integration face potential exposure to persistent threats where attackers can maintain access through repeated assertion reuse, making detection and remediation challenging. The vulnerability's impact is particularly severe given that Rancher serves as a central management platform for Kubernetes clusters, meaning successful exploitation could provide attackers with control over critical containerized workloads and infrastructure components.

Mitigation strategies should include immediate upgrade to Rancher version 2.14.3 or later where the SAML assertion one-time use enforcement has been properly implemented. Organizations should also implement additional monitoring for suspicious authentication patterns and consider deploying network-level protections such as intrusion detection systems that can identify potential replay attack signatures. Security teams should conduct thorough reviews of their SAML configurations to ensure proper validation of assertion attributes including NotOnOrAfter and SessionNotOnOrAfter timestamps, while also implementing multi-factor authentication mechanisms to provide additional defense layers against credential-based attacks. The fix addresses the root cause by enforcing proper SAML assertion lifecycle management that aligns with industry best practices for identity federation security controls.

Responsible

Suse

Reservation

05/08/2026

Disclosure

06/30/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!