Rancher: Privilege escalation via promoted roles
Description
A privilege escalation vulnerability in SUSE Rancher allows users with the escalate verb on Project Role Template Bindings to escalate permissions for -promoted resources across clusters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A privilege escalation vulnerability in SUSE Rancher allows users with the escalate verb on Project Role Template Bindings to escalate permissions for -promoted resources across clusters.
Vulnerability
Overview
CVE-2022-43759 is an improper privilege management vulnerability in SUSE Rancher affecting versions prior to 2.5.17 and 2.6.10. The core flaw lies in an authorization logic error where users who have the escalate verb on projectroletemplatebindings.management.cattle.io (PRTBs) can escalate their permissions for any "-promoted" resource in any cluster where they have a PRTB granting such permissions in at least one project [1]. On a default deployment, only the "Project Owner" and "Manage Project Members" roles possess these permissions, implying the attacker must already have a relatively privileged role [1].
Attack
Vector and Prerequisites
Exploitation requires a user with access to the escalate verb on PRTBs, including users with wildcard (*) verbs on those bindings. This allows the user to elevate privileges for -promoted resources such as nodes, persistentvolumes, storageclasses, apiservices, clusterrepos, and local clusters (in the management.cattle.io API group) [1]. The attack is possible in both Rancher 2.5.x and 2.6.x, but not in 2.7 releases [1]. If a role template granting access to these objects already exists, even users without built-in permissions could exploit the flaw [1].
Impact
A successful attacker can escalate privileges within a cluster, gaining control over sensitive resources that typically require higher-level permissions. This could lead to full cluster compromise, including the ability to manage persistent storage, API services, cluster repositories, and even the local management cluster [1]. The CVSS score reflects a high severity due to the potential for significant impact on confidentiality, integrity, and availability [2].
Mitigation and
Remediation
SUSE has addressed the vulnerability in Rancher versions 2.5.17 and 2.6.10 [1][2]. Users unable to upgrade immediately should restrict the "Project Owner" and "Manage Project Members" roles to trusted users only, as these are the default roles with the necessary privileges [1]. Administrators should also review and audit PRTB assignments to ensure least-privilege principles are followed. The Rancher project maintains a security advisory with full details [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/rancherGo | >= 2.5.0, < 2.5.17 | 2.5.17 |
github.com/rancher/rancherGo | >= 2.6.0, < 2.6.10 | 2.6.10 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.