Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster
Description
CVE-2022-21953: Missing authorization in SUSE Rancher allows authenticated users to create unauthorized shell pods and kubectl access in the local cluster.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-21953: Missing authorization in SUSE Rancher allows authenticated users to create unauthorized shell pods and kubectl access in the local cluster.
Vulnerability
Overview
CVE-2022-21953 is a missing authorization vulnerability in SUSE Rancher that affects versions prior to 2.5.17, 2.6.10, and 2.7.1. The flaw allows an authenticated user on any downstream cluster to gain unauthorized shell pod and kubectl access to the Rancher local cluster. The intended behavior is that users should not have such access unless explicitly granted [1][2].
Exploitation
Mechanism
The vulnerability can be exploited in two ways. First, for shell pod access, a user with permission to open a shell pod in the Rancher UI to a downstream cluster can intercept the web request (e.g., via browser developer tools or a proxy) and change the shell's destination to the Rancher local cluster instead. This does not allow accessing a downstream cluster without permission [2]. Second, for kubectl access, when downloading a kubeconfig file for a downstream cluster, the server address can be altered to point to the local cluster [2]. No additional authentication is required beyond being an authenticated Rancher user with access to at least one downstream cluster.
Impact
An attacker exploiting this vulnerability gains a limited non-root shell pod within the local cluster. Although the shell runs as a non-root user, the attacker can download and execute binaries. The impact can escalate depending on the local cluster configuration. For example, if the local cluster has unrestricted network access to the internet, the attacker could open a reverse connection from the shell pod. Additionally, if the local cluster has access to a cloud metadata API, the attacker could extract cloud credentials associated with the cluster, potentially compromising the underlying infrastructure [2].
Mitigation
SUSE and Rancher have released patches to fix this vulnerability. Users should upgrade to Rancher version 2.5.17, 2.6.10, 2.7.1, or later. Those unable to upgrade should follow security best practices, such as limiting network access from the local cluster and restricting access to cloud metadata APIs, to reduce the blast radius [2][3]. The CVE has been resolved and marked as fixed in the SUSE bug tracker [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/rancherGo | >= 2.5.0, < 2.5.17 | 2.5.17 |
github.com/rancher/rancherGo | >= 2.6.0, < 2.6.10 | 2.6.10 |
github.com/rancher/rancherGo | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.