CVE-2026-25705 - Vulnerability Details - OpenCVE

A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code. * Write to /var/lib/rancher/ to tamper with cluster state. * If hostPath volumes are mounted, write to the host node filesystem. * Use this issue to chain with other attack vectors.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/mdr-for-endpoint
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25705
https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35

History

Wed, 13 May 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code. * Write to /var/lib/rancher/ to tamper with cluster state. * If hostPath volumes are mounted, write to the host node filesystem. * Use this issue to chain with other attack vectors.
Title		Rancher Extensions have arbitrary file access via path traversal
Weaknesses		CWE-35
References		https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25705 https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2026-05-13T08:00:46.097Z

Updated: 2026-05-13T08:01:27.283Z

Reserved: 2026-02-05T15:37:24.184Z

Link: CVE-2026-25705

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25705", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2026-02-05T15:37:24.184Z", "datePublished": "2026-05-13T08:00:46.097Z", "dateUpdated": "2026-05-13T08:01:27.283Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-05-13T08:01:27.283Z"}, "title": "Rancher Extensions have arbitrary file access via path traversal", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-35", "description": "CWE-35 Path traversal: '.../...//'", "type": "CWE"}]}], "affected": [{"vendor": "SUSE", "product": "rancher", "packageName": "github.com/rancher/rancher", "versions": [{"status": "affected", "version": "2.14.0", "lessThan": "2.14.1", "versionType": "semver"}, {"status": "affected", "version": "2.13.0", "lessThan": "2.13.5", "versionType": "semver"}, {"status": "affected", "version": "2.12.0", "lessThan": "2.12.9", "versionType": "semver"}, {"status": "affected", "version": "2.10.11", "lessThan": "2.11.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code.\n\n * Write to /var/lib/rancher/ to tamper with cluster state.\n\n * If hostPath volumes are mounted, write to the host node filesystem.\n\n * Use this issue to chain with other attack vectors.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to:<div><ul><li>Overwrite Rancher binaries or configuration to inject code.</li>\n<li>Write to <code>/var/lib/rancher/</code> to tamper with cluster state.</li>\n<li>If <code>hostPath</code> volumes are mounted, write to the host node filesystem.</li>\n<li>Use this issue to chain with other attack vectors.</li></ul></div>"}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25705"}, {"url": "https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "https://github.com/KoreaSecurity", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}