Description
A command injection vulnerability in the Rancher Manager cluster before 2.14.2 import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters could allow remote attackers to break out of an image, and execute e.g. malicious containers.
Published: 2026-06-19
Score: 9.4 Critical
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw that occurs when Rancher Manager processes the /v3/import/{token}_{clusterId}.yaml endpoint. Unsanitized YAML parameters allow a remote attacker to break out of an image boundary and execute arbitrary commands, such as creating malicious containers. This is classified as a CWE-95 injection vulnerability and would give the attacker the ability to execute arbitrary commands within the container environment, potentially compromising the entire cluster and any workloads running on it.

Affected Systems

The affected product is Rancher Manager from SUSE, specifically any cluster version before 2.14.2. Users running Rancher Manager 2.14.1 or earlier are susceptible and should check the version they are running.

Risk and Exploitability

The CVSS score of 9.4 signals critical severity. The EPSS score of 1% indicates a low but non‑zero likelihood of exploitation, and the issue is not listed in CISA's KEV catalog. The likely attack vector involves a remote attacker sending a crafted YAML payload to the open import endpoint; no special privileges or network traversal are mentioned, implying that exposure of the endpoint alone may be sufficient to exploit the flaw. Once exploited, the attacker can execute arbitrary commands within the container environment, potentially compromising the entire cluster and any workloads running on it.

Generated by OpenCVE AI on June 24, 2026 at 12:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Rancher Manager to version 2.14.2 or later to eliminate the unsanitized YAML processing flaw.
  • Restrict access to the /v3/import/{token}_{clusterId}.yaml endpoint using network policies, firewalls, or API gateway rules so that only trusted IP ranges or authenticated users can reach it.
  • After applying the update, monitor for unexpected container launches and review audit logs for import activity to detect any residual exploitation attempts.

Generated by OpenCVE AI on June 24, 2026 at 12:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mhc6-2gfq-xx62 Rancher vulnerable to command injection through unsanitized YAML parameter
History

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Suse
Suse rancher
Vendors & Products Suse
Suse rancher

Fri, 19 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability in the Rancher Manager cluster before 2.14.2 import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters could allow remote attackers to break out of an image, and execute e.g. malicious containers.
Title Command injection through unsanitized YAML parameter in Rancher
Weaknesses CWE-95
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-06-24T03:56:15.304Z

Reserved: 2026-05-08T12:29:48.967Z

Link: CVE-2026-44939

cve-icon Vulnrichment

Updated: 2026-06-22T15:09:25.819Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-95

    Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')