Description
A SAML authentication replay vulnerability in Rancher's Assertion
Consumer Service (ACS) handler did not enforce
one-time use of SAML assertion, potentially allowing person in the middle attacks against Rancher, affecting Rancher 2.14.0 before 2.14.3,
Published: 2026-06-30
Score: 9.5 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Rancher’s Assertion Consumer Service does not enforce one‑time use of SAML assertions, allowing an attacker to replay a captured assertion for additional authentications. The effect of this flaw is that an adversary can gain unauthorized access to Rancher’s administrative interface or other privileged actions without needing credentials. The weakness is classified as CWE‑294, reflecting a failure to protect the integrity of authentication data.

Affected Systems

SUSE Rancher services 2.14.0 through the build before 2.14.3 are vulnerable. The issue was fixed in the 2.14.3 release and later versions.

Risk and Exploitability

The CVSS score of 9.5 marks this as critical, and while the EPSS score is not available, the lack of a KEV listing does not diminish the likelihood of exploitation. The vulnerability can be leveraged remotely over the network by intercepting a valid SAML response, making it suitable for a man‑in‑the‑middle scenario. Exploitation would require interception of traffic or access to a session where a SAML assertion was previously issued.

Generated by OpenCVE AI on June 30, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rancher to version 2.14.3 or later where the Assertion Consumer Service validates single‑use assertions
  • Enable the Assertion Consumer Service configuration to require one‑time SAML assertions
  • Harden the SAML traffic path by enforcing TLS, network segmentation, and monitoring for replay attempts

Generated by OpenCVE AI on June 30, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Suse
Suse rancher
Vendors & Products Suse
Suse rancher

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description A SAML authentication replay vulnerability in Rancher's Assertion Consumer Service (ACS) handler did not enforce one-time use of SAML assertion, potentially allowing person in the middle attacks against Rancher, affecting Rancher 2.14.0 before 2.14.3,
Title SAML Authentication Replay in Rancher
Weaknesses CWE-294
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Suse Rancher
cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-06-30T13:44:26.795Z

Reserved: 2026-05-08T12:29:48.969Z

Link: CVE-2026-44946

cve-icon Vulnrichment

Updated: 2026-06-30T13:44:21.786Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T18:15:15Z

Weaknesses
  • CWE-294

    Authentication Bypass by Capture-replay