{"api_version":"1","generated_at":"2026-07-12T19:29:41+00:00","cve":"CVE-2026-41053","urls":{"html":"https://cve.report/CVE-2026-41053","api":"https://cve.report/api/cve/CVE-2026-41053.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-41053","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-41053"},"summary":{"title":"Over-inclusive team membership expansion in GitHub App authentication provider for Rancher","description":"Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2.","state":"PUBLISHED","assigner":"suse","published_at":"2026-06-30 12:16:23","updated_at":"2026-07-02 19:57:44"},"problem_types":["CWE-303","CWE-303 CWE-303 Incorrect implementation of authentication algorithm"],"metrics":[{"version":"3.1","source":"meissner@suse.de","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh","name":"https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh","refsource":"meissner@suse.de","tags":["Patch","Vendor Advisory","Mitigation"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-41053","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41053","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"SUSE","product":"Rancher","version":"affected 2.14.0 2.14.2 semver","platforms":[]},{"source":"CNA","vendor":"SUSE","product":"Rancher","version":"affected 2.13.0 2.13.6 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"41053","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"suse","cpe5":"rancher","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"41053","cve":"CVE-2026-41053","epss":"0.003700000","percentile":"0.289810000","score_date":"2026-07-04","updated_at":"2026-07-05 00:02:27"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-41053","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-30T00:00:00+00:00","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-01T03:55:47.962Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","modules":["github auth provider"],"packageName":"Rancher","product":"Rancher","repo":"https://github.com/rancher/rancher/","vendor":"SUSE","versions":[{"lessThan":"2.14.2","status":"affected","version":"2.14.0","versionType":"semver"},{"lessThan":"2.13.6","status":"affected","version":"2.13.0","versionType":"semver"}]}],"datePublic":"2026-05-28T11:31:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2."}],"value":"Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2."}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Escalation"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-303","description":"CWE-303 Incorrect implementation of authentication algorithm","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T11:38:25.060Z","orgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","shortName":"suse"},"references":[{"tags":["vendor-advisory"],"url":"https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh"}],"source":{"defect":["secsys_codex@163.com"],"discovery":"UNKNOWN"},"title":"Over-inclusive team membership expansion in GitHub App authentication provider for Rancher","x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","assignerShortName":"suse","cveId":"CVE-2026-41053","datePublished":"2026-06-30T11:38:25.060Z","dateReserved":"2026-04-16T13:37:50.680Z","dateUpdated":"2026-07-01T03:55:47.962Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-30 12:16:23","lastModifiedDate":"2026-07-02 19:57:44","problem_types":["CWE-303","CWE-303 CWE-303 Incorrect implementation of authentication algorithm"],"metrics":{"cvssMetricV31":[{"source":"meissner@suse.de","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-30T00:00:00+00:00","id":"CVE-2026-41053","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*","versionStartIncluding":"2.13.0","versionEndExcluding":"2.13.6","matchCriteriaId":"53E5872E-9F92-4D2E-858D-4563A955B929"},{"vulnerable":true,"criteria":"cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*","versionStartIncluding":"2.14.0","versionEndExcluding":"2.14.2","matchCriteriaId":"3CF3233E-9836-4A06-A063-C83D9AE88156"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"41053","Ordinal":"1","Title":"Over-inclusive team membership expansion in GitHub App authentic","CVE":"CVE-2026-41053","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"41053","Ordinal":"1","NoteData":"Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2.","Type":"Description","Title":"Over-inclusive team membership expansion in GitHub App authentic"}]}}}