ctipilot.ch

SUSE Rancher — project-owner role can flip namespace PSA labels to privileged, enabling container-to-host escape (CVSS 8.4)

cve · CVE-2026-41052

Coverage timeline
1
first 2026-05-29 → last 2026-05-31
Peak priority
notable
1 notable
Sources cited
4
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
2
see Related entities below
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-05-29CVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App over-inclusive team membership
    trending-vulnerabilitiesCVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • github.com3 (75%)
  • wid.cert-bund.de1 (25%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about SUSE Rancher — project-owner role can flip namespace PSA labels to privileged, enabling container-to-host escape (CVSS 8.4) (1)

2026-05-29 · view entry permalink →

CVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App over-inclusive team membership

SUSE Rancher patched three vulnerabilities on 2026-05-27. CVE-2026-44939 (CVSS 9.6, GHSA-mhc6-2gfq-xx62) is a command injection in the cluster-import endpoint /v3/import/{token}_{clusterId}.yaml: the authImage query parameter is not sanitised, so URL-encoded newlines (%0A) break out of the YAML image: field and inject arbitrary YAML keys into the cluster-import manifest. When an admin runs kubectl apply against the malicious manifest, attacker-controlled commands run on control-plane nodes through a deployed DaemonSet with elevated privileges. Affected: 2.10.0–2.10.11, 2.11.0–2.11.13, 2.12.0–2.12.9, 2.13.0–2.13.5, 2.14.0–2.14.1. CVE-2026-41052 (CVSS 8.4, GHSA-vx8h-4prv-g744) lets project-owner users flip namespace Pod Security Admission labels to privileged, enabling container-to-host escape. CVE-2026-41053 (CVSS 8.8, GHSA-4j6x-2764-m8gh) is an authorization bug in the GitHub-App auth provider that grants group principals for every GitHub-org team to any user who belongs to at least one team. BSI advisory WID-SEC-2026-1716 carries the German-CERT corroboration. Fixed in 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2.

vulnerability29 May 05:00Zmulti-sourceOpen finding ↗