Cyber Resilience

CVE-2026-41053

High

Published: 30 June 2026

Published
30 June 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 29.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41053 is a high-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Suse Rancher. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Auth caching flaw directly enables unauthorized principal access (T1078) via the public Rancher web app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-43758Same product: Suse Rancher
CVE-2023-22648Same product: Suse Rancher
CVE-2026-41052Same product: Suse Rancher
CVE-2021-36784Same product: Suse Rancher
CVE-2020-10676Same product: Suse Rancher
CVE-2022-43759Same product: Suse Rancher
CVE-2021-4200Same product: Suse Rancher
CVE-2022-31247Same product: Suse Rancher
CVE-2022-43755Same product: Suse Rancher
CVE-2025-67601Same product: Suse Rancher

Affected Assets

suse
rancher
2.13.0 — 2.13.6 · 2.14.0 — 2.14.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References