CVE-2026-44939

Summary

A command injection vulnerability in the Rancher Manager cluster before 2.14.2 import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters could allow remote attackers to break out of an image, and execute e.g. malicious containers.

Affected Software

VendorProductVersion RangeStatus
SUSERancher2.14.0 < 2.14.2affected
SUSERancher2.13.0 < 2.13.6affected
SUSERancher2.12.0 < 2.12.10affected
SUSERancher2.11.0 < 2.11.14affected
SUSERancher2.10.0 < 2.10.12affected

Weaknesses

  • CWE-95: CWE-95 Improper neutralization of directives in dynamically evaluated code ('eval injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References