CVE-2026-25705— Rancher Extensions have arbitrary file access via path traversal
Possible ATT&CK Techniques 3AI
T1068 · Exploitation for Privilege Escalation T1546 · Event Triggered Execution T1059 · Command and Scripting InterpreterGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-25705
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Rancher Extensions have arbitrary file access via path traversal
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code. * Write to /var/lib/rancher/ to tamper with cluster state. * If hostPath volumes are mounted, write to the host node filesystem. * Use this issue to chain with other attack vectors.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
路径遍历:’…/…//’
Source: NVD (National Vulnerability Database)
Vulnerability Title
Rancher 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Rancher是美国Rancher开源的一个开源容器管理平台,专为在生产环境中部署容器的组织而构建。 Rancher存在安全漏洞,该漏洞源于Extensions中compressedEndpoint字段存在路径遍历,可能导致恶意UI扩展注入代码、覆盖Rancher二进制文件或配置、篡改集群状态、写入主机节点文件系统以及与其他攻击向量链式利用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-25705
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-25705
请登录查看更多情报信息。
Same Patch Batch · SUSE · 2026-05-13 · 3 CVEs total
| CVE-2026-41050 | 9.9 CRITICAL | Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template re |
| CVE-2026-41051 | 5.0 MEDIUM | csync2 uses insecure temporary directories when compiled with C99 or later |
IV. Related Vulnerabilities
Same product: rancher
- CVE-2026-41050
Helm impersonation bypass of `RESTClientGetter` retains `clu - CVE-2025-62879
Rancher Backup Operator pod's logs leak S3 tokens - CVE-2025-62878
Local Path Provisioner vulnerable to Path Traversal via para - CVE-2025-67601
Rancher CLI skips TLS verification on Rancher CLI login comm - CVE-2024-58269
Rancher exposes sensitive information through audit logs
Same vendor: SUSE
- CVE-2026-41051
csync2 uses insecure temporary directories when compiled wit - CVE-2026-41050
Helm impersonation bypass of `RESTClientGetter` retains `clu - CVE-2026-25702
nftables disabled due to incorrect kernel backport - CVE-2025-62879
Rancher Backup Operator pod's logs leak S3 tokens - CVE-2025-62878
Local Path Provisioner vulnerable to Path Traversal via para
Same weakness: CWE-35
V. Comments for CVE-2026-25705
No comments yet