SUSE Rancher — project-owner role can flip namespace PSA labels to privileged, enabling container-to-host escape (CVSS 8.4)

cve · CVE-2026-41052

Coverage timeline

first 2026-05-29 → last 2026-05-29

Briefs

1 distinct

Sources cited

2 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-05-29CTI Daily Brief — 2026-05-29

Source distribution

github.com3 (75%)
wid.cert-bund.de1 (25%)

Related entities

actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit 1c9e803 reading Runner.Worker /proc/PID/mem for secrets; Mini Shai-Hulud cluster link
incidentitem:actions-cool-issues-helper-github-action-compromised-53-tag×1
SUSE Rancher cluster-import endpoint — command injection via URL-encoded newline in authImage YAML field; control-plane node RCE (CVSS 9.6)
cveCVE-2026-44939×1
SUSE Rancher GitHub App auth — group principals granted for every team in GitHub org to any team-belonging user (CVSS 8.8)
cveCVE-2026-41053×1

External references

NVD · cve.org · CISA KEV

All cited sources (4)

Items in briefs about SUSE Rancher — project-owner role can flip namespace PSA labels to privileged, enabling container-to-host escape (CVSS 8.4) (1)

CVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App over-inclusive team membership

From CTI Daily Brief — 2026-05-29 · published 2026-05-29 · view item permalink →

SUSE Rancher patched three vulnerabilities on 2026-05-27. CVE-2026-44939 (CVSS 9.6, GHSA-mhc6-2gfq-xx62) is a command injection in the cluster-import endpoint /v3/import/{token}_{clusterId}.yaml: the authImage query parameter is not sanitised, so URL-encoded newlines (%0A) break out of the YAML image: field and inject arbitrary YAML keys into the cluster-import manifest. When an admin runs kubectl apply against the malicious manifest, attacker-controlled commands run on control-plane nodes through a deployed DaemonSet with elevated privileges. Affected: 2.10.0–2.10.11, 2.11.0–2.11.13, 2.12.0–2.12.9, 2.13.0–2.13.5, 2.14.0–2.14.1. CVE-2026-41052 (CVSS 8.4, GHSA-vx8h-4prv-g744) lets project-owner users flip namespace Pod Security Admission labels to privileged, enabling container-to-host escape. CVE-2026-41053 (CVSS 8.8, GHSA-4j6x-2764-m8gh) is an authorization bug in the GitHub-App auth provider that grants group principals for every GitHub-org team to any user who belongs to at least one team. BSI advisory WID-SEC-2026-1716 carries the German-CERT corroboration. Fixed in 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2.