Description
A missing clean-up in the legacy Project Role Template Binding (PRTB)
reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security
Admission (PSA) permissions after an administrator removes those
permissions from a RoleTemplate.
Published: 2026-06-30
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing cleanup in the legacy Project Role Template Binding reconciler, allowing users to retain unauthorized Pod Security Admission permissions after those permissions are removed from a RoleTemplate. This can result in pods running with elevated privileges or bypassing security policies, directly impacting the integrity and confidentiality of the cluster. The weakness is an instance of Improper Access Control (CWE‑281).

Affected Systems

SUSE Rancher versions 2.13.0 through 2.13.7 and 2.14.0 through 2.14.3 are affected. The flaw arises during RoleTemplate downgrades that leave stale ClusterRoleBinding objects for PSA.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. Attackers could exploit this bug by controlling a RoleTemplate and performing a downgrade, which would leave privileged PSA bindings in place, giving them unauthorized control over pod security settings. The likelihood of an attack depends on the presence of an attacker with administrative access to create or modify RoleTemplates.

Generated by OpenCVE AI on June 30, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Rancher 2.13.8 or newer, or 2.14.4 or newer, where the bug is fixed.
  • Manually delete any stale PSA ClusterRoleBinding objects that persist after RoleTemplate changes, using kubectl or the Rancher UI.
  • Verify that RoleTemplate modifications result in appropriate cleanup of PSA bindings by reviewing ClusterRoleBindings or employing RBAC audit tools, and implement a process to enforce this cleanup after future updates.

Generated by OpenCVE AI on June 30, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Suse
Suse rancher
Vendors & Products Suse
Suse rancher

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those permissions from a RoleTemplate.
Title Stale PSA ClusterRoleBinding Persists After RoleTemplate Downgrade in Rancher
Weaknesses CWE-281
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Suse Rancher
cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-06-30T15:03:44.276Z

Reserved: 2026-05-08T12:29:48.969Z

Link: CVE-2026-44947

cve-icon Vulnrichment

Updated: 2026-06-30T15:03:39.798Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:00:13Z

Weaknesses
  • CWE-281

    Improper Preservation of Permissions