Description
A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code.

* Write to /var/lib/rancher/ to tamper with cluster state.

* If hostPath volumes are mounted, write to the host node filesystem.

* Use this issue to chain with other attack vectors.
Published: 2026-05-13
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in the compressedEndpoint field of Rancher Extensions allows a malicious UI plugin to write files to arbitrary locations, enabling overwriting of Rancher binaries, configuration files, or data in /var/lib/rancher. The resulting file overwrite can introduce malicious code, corrupt cluster state, or grant further attack leverage. The weakness is identified as CWE‑35, a Path Traversal vulnerability.

Affected Systems

The vulnerability affects the Rancher Extensions component provided by SUSE. No specific version information is listed in the official release notes, so all currently deployed instances of Rancher Extensions are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 8.4 classifies the issue as high severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV, so no confirmed exploitation has been reported yet. However, the attack vector likely requires the creation or deployment of a rogue UI plugin, which may be possible to deploy by users with sufficient cluster permissions. If compromise is achieved, the attacker could achieve remote code execution on the Rancher host or infiltrate node file systems via hostPath volumes. Due to the lack of publicly documented exploits, the current risk is considered high but the exploitation probability remains uncertain.

Generated by OpenCVE AI on May 13, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Rancher security patch that resolves compressedEndpoint path traversal
  • Configure Rancher to deny or strictly validate UIPlugin deployments to prevent writes to sensitive system paths
  • Remove or disable custom UI extensions until a patch is available, and monitor the cluster for unauthorized file changes

Generated by OpenCVE AI on May 13, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5v3h-x4wf-5c35 Rancher Extensions have arbitrary file access via path traversal
History

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Suse
Suse rancher
Vendors & Products Suse
Suse rancher

Wed, 13 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code. * Write to /var/lib/rancher/ to tamper with cluster state. * If hostPath volumes are mounted, write to the host node filesystem. * Use this issue to chain with other attack vectors.
Title Rancher Extensions have arbitrary file access via path traversal
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Suse Rancher
cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-05-14T03:55:59.252Z

Reserved: 2026-02-05T15:37:24.184Z

Link: CVE-2026-25705

cve-icon Vulnrichment

Updated: 2026-05-13T10:48:07.203Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T08:16:16.083

Modified: 2026-05-13T15:35:35.267

Link: CVE-2026-25705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:30:26Z

Weaknesses