Rancher: Cloud credentials can be used through proxy API by users without access
Description
Improper access control in Rancher allows authenticated users to use cloud credentials via proxy API without proper authorization, affecting versions prior to 2.5.9 and 2.4.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper access control in Rancher allows authenticated users to use cloud credentials via proxy API without proper authorization, affecting versions prior to 2.5.9 and 2.4.16.
Vulnerability
A Improper Access Control vulnerability exists in Rancher's cloud credential handling. Users in the cluster can make requests to cloud providers by creating requests with a cloud-credential ID, and Rancher attaches the requested credentials without further checks. This affects Rancher versions prior to 2.5.9 and prior to 2.4.16 [1][3].
Exploitation
An attacker must be a valid, logged-in Rancher user and know a valid cloud-credential ID for a given cloud provider. They can then call that cloud provider's API through the proxy API, and the cloud-credential will be attached [3].
Impact
Successful exploitation allows the attacker to use the cloud credentials to make API calls to the cloud provider, potentially leading to unauthorized access to cloud resources, data exposure, or further compromise. The attacker gains the privileges associated with the cloud credential [1][3].
Mitigation
Upgrade to Rancher versions 2.5.9 or 2.4.16 or later. There is no direct workaround other than upgrading [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/rancherGo | >= 2.2.0, < 2.4.16 | 2.4.16 |
github.com/rancher/rancherGo | >= 2.5.0, < 2.5.9 | 2.5.9 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/rancher/rancherpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 2.2.0, < 2.4.16+ 1 more
- (no CPE)range: >= 2.2.0, < 2.4.16
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gqf8-rvrh-g7w6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25320ghsaADVISORY
- bugzilla.suse.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/rancher/rancher/security/advisories/GHSA-gqf8-rvrh-g7w6ghsaWEB
News mentions
0No linked articles in our index yet.