The SUSE Rancher Team has issued fixes for three affecting Rancher Manager, with severities ranging from Medium to High. These could lead to denial of service, information leakage, or phishing-enabled token theft, putting enterprise Kubernetes management at risk.
CVE-2024-58260 – Username Manipulation Locks Out Admins (CVSS 7.6)
A in Rancher Manager’s user update logic could allow attackers with elevated privileges to lock out administrators.
The advisory explains: “A user with permission to update another user’s resource can set its .username to ‘admin’, preventing both the legitimate admin and the affected user from logging in, as Rancher enforces uniqueness at login time.”
This enables both username takeover and account lockout, effectively denying service to administrators and disrupting platform governance.
Rancher now blocks username modifications once set, ensuring immutability after creation. Fixed in v2.12.2, v2.11.6, v2.10.10, and v2.9.12.
CVE-2025-54468 – Sensitive Header Leakage via /meta/proxy (CVSS 4.7)
A less severe but still concerning involves Rancher’s proxying mechanism.
According to the advisory, “Impersonate-Extra- headers are being sent to an external entity, for example amazonaws.com, via the /meta/proxy Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses.”
While no passwords or tokens are leaked, information such as usernames or principal IDs could expose organizations to privacy and compliance risks.
Rancher now strips all Impersonate- headers from proxied requests. Fixed in the same patched versions listed above.
CVE-2024-58267 – SAML Phishing via Rancher CLI (CVSS 8.1)
The most severe enables phishing attacks during Rancher CLI SAML authentication flows.
As the advisory details, “An attacker can generate a phishing SAML login URL which contains a publicKey and requestId controlled by the attacker… By clicking on the link, the victim will be logged in and an encrypted token will be created with the attacker’s public key. The attacker can then decrypt the victim’s Rancher token, enabling the attack.”
This flaw could let adversaries steal valid Rancher authentication tokens, leading to full cluster compromise.
Updates to both Rancher Manager and CLI now ensure visibility of the requestId, and the login page includes warnings for verification. Fixed in v2.12.2, v2.11.6, v2.10.10, and v2.9.12.
Workarounds
For environments unable to patch immediately:
- Restrict user update permissions to trusted accounts.
- Validate proxy domain allowlists for unnecessary exposure.
- Check Rancher CLI SAML login URLs carefully, ensuring the requestId matches what’s printed locally before proceeding.
- CVE-2024-58259: DoS Flaw in Rancher Manager Allows Unauthenticated Attackers to Crash Servers
- Google Cloud Unveils Gemini CLI: Free AI Assistant Brings Gemini 2.5 Pro to Your Terminal
- Critical RCE Vulnerability Discovered in SUSE Rancher
- Critical Security Flaw in Rancher Exposes vSphere Credentials in Plaintext
- Rancher Users: Update Now to Fix Admin Takeover Bug (CVE-2025-23391)
