CVE-2026-44947 in Rancher
Summary
by MITRE • 06/30/2026
A missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those permissions from a RoleTemplate.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/30/2026
The vulnerability described represents a critical access control flaw in Rancher's legacy Project Role Template Binding reconciler mechanism that affects versions between 2.13.0 and 2.13.7 as well as 2.14.0 through 2.14.3. This issue stems from inadequate cleanup procedures within the system's role management infrastructure, specifically concerning how Pod Security Admission permissions are handled during role template modifications. The flaw manifests when administrators attempt to revoke specific PSA permissions from RoleTemplates but fails to properly remove these permissions from existing bindings, creating a persistent security gap that allows unauthorized users to maintain elevated privileges.
The technical root cause of this vulnerability lies in the failure of the reconciler to perform proper cleanup operations when RoleTemplate modifications occur. According to CWE-284 Access Control Bypass, this represents a weakness where the system fails to properly enforce access controls after configuration changes. When administrators remove PSA permissions from a RoleTemplate, the reconciler should ensure that all associated bindings are updated to reflect these changes and that any previously granted permissions are properly revoked. However, due to missing cleanup logic, users who were previously bound to RoleTemplates containing these permissions continue to retain access to the Pod Security Admission controls even after administrative removal.
This vulnerability operates under the ATT&CK framework as a privilege escalation technique through configuration management weaknesses. The operational impact is severe as it allows unauthorized users to maintain access to critical security controls that should have been revoked, potentially enabling them to bypass pod security policies and execute malicious workloads with elevated privileges. Attackers could exploit this by targeting systems where administrators have recently modified role templates but failed to properly validate or clean up existing bindings, creating a window of opportunity for persistence and further compromise.
The security implications extend beyond simple permission retention, as Pod Security Admission controls are fundamental to Kubernetes security posture management. These permissions govern how pods are admitted to clusters based on security policies, making them particularly valuable targets for attackers seeking to bypass cluster-level protections. The vulnerability creates a persistent backdoor where users can maintain access to these critical controls without proper authorization, potentially enabling data exfiltration, lateral movement, or other malicious activities within the cluster environment.
Organizations should immediately implement mitigations including upgrading to patched Rancher versions that address this cleanup functionality, implementing additional monitoring for role template modifications, and conducting comprehensive audits of existing bindings to identify any unauthorized permission retention. The remediation process requires administrators to manually verify and clean up all affected RoleTemplate bindings while ensuring proper reconciliation processes are in place to prevent future occurrences of this class of vulnerability. Additionally, security teams should implement continuous monitoring of access control changes and establish automated validation procedures to ensure that permission modifications are properly propagated throughout the system.