CVE-2026-44947 - Vulnerability Details - OpenCVE

A missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those permissions from a RoleTemplate.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://github.com/rancher/rancher/security/advisories/GHSA-c4rp-wgqc-mfhc

History

Tue, 30 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 30 Jun 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		A missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those permissions from a RoleTemplate.
Title		Stale PSA ClusterRoleBinding Persists After RoleTemplate Downgrade in Rancher
Weaknesses		CWE-281
References		https://github.com/rancher/rancher/security/advisories/GHSA-c4rp-wgqc-mfhc
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2026-06-30T14:21:01.291Z

Updated: 2026-06-30T15:03:44.276Z

Reserved: 2026-05-08T12:29:48.969Z

Link: CVE-2026-44947

Vulnrichment

Updated: 2026-06-30T15:03:39.798Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-30T16:30:16Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-44947", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2026-05-08T12:29:48.969Z", "datePublished": "2026-06-30T14:21:01.291Z", "dateUpdated": "2026-06-30T15:03:44.276Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-06-30T14:21:01.291Z"}, "title": "Stale PSA ClusterRoleBinding Persists After RoleTemplate Downgrade in Rancher", "datePublic": "2026-06-29T14:20:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-281", "description": "CWE-281 Improper preservation of permissions", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "affected": [{"vendor": "SUSE", "product": "Rancher", "packageName": "Rancher", "repo": "https://github.com/rancher/rancher/", "versions": [{"status": "affected", "version": "2.13.0", "lessThan": "2.13.7", "versionType": "semver"}, {"status": "affected", "version": "2.14.0", "lessThan": "2.14.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A missing clean-up in the legacy Project Role Template Binding (PRTB) \nreconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security \nAdmission (PSA) permissions after an administrator removes those \npermissions from a RoleTemplate.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A missing clean-up in the legacy Project Role Template Binding (PRTB) \nreconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security \nAdmission (PSA) permissions after an administrator removes those \npermissions from a RoleTemplate."}]}], "references": [{"url": "https://github.com/rancher/rancher/security/advisories/GHSA-c4rp-wgqc-mfhc", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"}}], "credits": [{"lang": "en", "value": "Isaac David", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-30T15:03:37.236401Z", "id": "CVE-2026-44947", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T15:03:44.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-44947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-30T15:03:37.236401Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T15:03:39.798Z"}}], "cna": {"title": "Stale PSA ClusterRoleBinding Persists After RoleTemplate Downgrade in Rancher", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Isaac David"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/rancher/rancher/", "vendor": "SUSE", "product": "Rancher", "versions": [{"status": "affected", "version": "2.13.0", "lessThan": "2.13.7", "versionType": "semver"}, {"status": "affected", "version": "2.14.0", "lessThan": "2.14.3", "versionType": "semver"}], "packageName": "Rancher", "defaultStatus": "unaffected"}], "datePublic": "2026-06-29T14:20:00.000Z", "references": [{"url": "https://github.com/rancher/rancher/security/advisories/GHSA-c4rp-wgqc-mfhc", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "A missing clean-up in the legacy Project Role Template Binding (PRTB) \nreconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security \nAdmission (PSA) permissions after an administrator removes those \npermissions from a RoleTemplate.", "supportingMedia": [{"type": "text/html", "value": "A missing clean-up in the legacy Project Role Template Binding (PRTB) \nreconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security \nAdmission (PSA) permissions after an administrator removes those \npermissions from a RoleTemplate.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-281", "description": "CWE-281 Improper preservation of permissions"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-06-30T14:21:01.291Z"}}}, "cveMetadata": {"cveId": "CVE-2026-44947", "state": "PUBLISHED", "dateUpdated": "2026-06-30T15:03:44.276Z", "dateReserved": "2026-05-08T12:29:48.969Z", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "datePublished": "2026-06-30T14:21:01.291Z", "assignerShortName": "suse"}, "dataVersion": "5.2"}