CVE-2026-41053
Over-inclusive team membership expansion in GitHub App authentication provider for Rancher
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.8EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
30 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
SUSE · Rancher