High severity8.4GHSA Advisory· Published May 13, 2026· Updated May 13, 2026
CVE-2026-25705
CVE-2026-25705
Description
A vulnerability has been identified in Rancher's Extensions where malicious code can be injected in Rancher through a path traversal in the compressedEndpoint field inside a UIPlugin deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code.
- Write to /var/lib/rancher/ to tamper with cluster state.
- If hostPath volumes are mounted, write to the host node filesystem.
- Use this issue to chain with other attack vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/rancherGo | >= 2.14.0, < 2.14.1 | 2.14.1 |
github.com/rancher/rancherGo | >= 2.13.0, < 2.13.5 | 2.13.5 |
github.com/rancher/rancherGo | >= 2.12.0, < 2.12.9 | 2.12.9 |
github.com/rancher/rancherGo | >= 2.10.11, < 2.11.13 | 2.11.13 |
Affected products
1Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.