CVE-2026-44946
SUSE · Rancher
Rancher's SAML Assertion Consumer Service handler is vulnerable to authentication replay attacks due to a failure to enforce one-time use of SAML assertions.
Executive summary
A critical authentication replay vulnerability in SUSE Rancher allows attackers to perform man-in-the-middle attacks, potentially leading to unauthorized system access.
Vulnerability
The vulnerability stems from a flaw in the SAML Assertion Consumer Service (ACS) handler, which fails to validate the single-use nature of SAML assertions. This allows an attacker to intercept and replay a valid assertion to gain unauthorized access to the Rancher management interface.
Business impact
With a CVSS score of 9.5, this flaw poses a critical threat to the security of the container management infrastructure. Successful exploitation allows an attacker to impersonate legitimate users and gain administrative control over the Rancher environment, leading to potential data compromise and full system takeover.
Remediation
Immediate Action: Upgrade all instances of Rancher to version 2.14.3 or later to ensure SAML assertion replay protection is correctly enforced.
Proactive Monitoring: Review authentication logs for suspicious or duplicate SAML login attempts that may indicate replay activity.
Compensating Controls: Ensure that SAML configurations enforce strict transport security (TLS) and session duration limits to minimize the window of opportunity for intercepted assertions.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The risk associated with this SAML replay vulnerability is extreme for organizations relying on centralized authentication. Security teams must prioritize patching Rancher to the recommended version to maintain the integrity of their authentication and authorization processes.