CVE-2026-44946

Source
https://cve.org/CVERecord?id=CVE-2026-44946
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44946.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44946
Aliases
  • GHSA-c5jm-xcmq-9j95
Published
2026-06-30T12:14:54.269Z
Modified
2026-07-15T01:49:05.744046825Z
Severity
  • 9.5 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
SAML Authentication Replay in Rancher
Details

A SAML authentication replay vulnerability in Rancher's Assertion Consumer Service (ACS) handler did not enforce one-time use of SAML assertion, potentially allowing person in the middle attacks against Rancher, affecting Rancher 2.14.0 before 2.14.3,

Database specific
{
    "cna_assigner": "suse",
    "cwe_ids": [
        "CWE-294"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44946.json"
}
References

Affected packages

Git / github.com/rancher/rancher

Affected ranges

Type
GIT
Repo
https://github.com/rancher/rancher
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.11.0"
        },
        {
            "fixed": "2.11.15"
        },
        {
            "introduced": "2.12.0"
        },
        {
            "fixed": "2.12.11"
        },
        {
            "introduced": "2.13.0"
        },
        {
            "fixed": "2.13.7"
        },
        {
            "introduced": "2.14.0"
        },
        {
            "fixed": "2.14.3"
        }
    ]
}

Affected versions

v2.*
v2.11.0
v2.11.1
v2.11.1-alpha1
v2.11.1-alpha2
v2.11.1-alpha3
v2.11.1-rc1
v2.11.1-rc2
v2.11.10
v2.11.10-alpha1
v2.11.10-rc1
v2.11.10-rc2
v2.11.11
v2.11.11-alpha1
v2.11.11-alpha2
v2.11.11-rc1
v2.11.12
v2.11.12-alpha1
v2.11.12-rc1
v2.11.13
v2.11.13-alpha1
v2.11.13-alpha2
v2.11.13-alpha3
v2.11.13-alpha4
v2.11.13-alpha5
v2.11.13-alpha6
v2.11.13-rc1
v2.11.14
v2.11.14-alpha1
v2.11.14-rc1
v2.11.15-alpha1
v2.11.15-alpha2
v2.11.15-alpha3
v2.11.15-alpha4
v2.11.15-rc1
v2.11.2
v2.11.2-alpha1
v2.11.2-alpha2
v2.11.2-alpha3
v2.11.2-alpha4
v2.11.2-rc1
v2.11.2-rc2
v2.11.3
v2.11.3-alpha1
v2.11.3-alpha2
v2.11.3-alpha3
v2.11.3-rc1
v2.11.4
v2.11.4-alpha1
v2.11.4-alpha2
v2.11.4-alpha3
v2.11.4-alpha4
v2.11.4-alpha5
v2.11.4-rc1
v2.11.5
v2.11.5-alpha1
v2.11.5-alpha2
v2.11.5-alpha3
v2.11.5-rc1
v2.11.6
v2.11.6-alpha1
v2.11.6-alpha2
v2.11.6-alpha3
v2.11.6-alpha4
v2.11.6-rc1
v2.11.7
v2.11.7-alpha1
v2.11.7-alpha2
v2.11.7-rc1
v2.11.7-rc2
v2.11.8
v2.11.8-alpha1
v2.11.8-alpha2
v2.11.8-alpha3
v2.11.8-alpha4
v2.11.8-alpha5
v2.11.8-rc1
v2.11.9
v2.11.9-alpha1
v2.11.9-alpha2
v2.11.9-rc1
v2.12.0
v2.12.1
v2.12.1-alpha1
v2.12.1-alpha2
v2.12.1-alpha3
v2.12.1-alpha4
v2.12.1-rc1
v2.12.10
v2.12.10-alpha1
v2.12.10-alpha2
v2.12.10-alpha3
v2.12.10-alpha4
v2.12.10-alpha5
v2.12.10-rc1
v2.12.11-alpha1
v2.12.11-alpha2
v2.12.11-alpha3
v2.12.11-alpha4
v2.12.11-alpha5
v2.12.11-rc1
v2.12.2
v2.12.2-alpha1
v2.12.2-alpha2
v2.12.2-alpha3
v2.12.2-alpha4
v2.12.2-alpha5
v2.12.2-rc1
v2.12.2-rc2
v2.12.3
v2.12.3-alpha1
v2.12.3-alpha2
v2.12.3-rc1
v2.12.4
v2.12.4-alpha1
v2.12.4-alpha2
v2.12.4-alpha3
v2.12.4-alpha4
v2.12.4-alpha5
v2.12.4-alpha6
v2.12.4-hotfix-a3c0.1
v2.12.4-rc1
v2.12.5
v2.12.5-alpha1
v2.12.5-alpha2
v2.12.5-rc1
v2.12.6
v2.12.6-alpha1
v2.12.6-alpha2
v2.12.6-rc1
v2.12.6-rc2
v2.12.7
v2.12.7-alpha1
v2.12.7-alpha2
v2.12.7-alpha3
v2.12.7-rc1
v2.12.8
v2.12.8-alpha1
v2.12.8-alpha2
v2.12.8-rc1
v2.12.9
v2.12.9-alpha1
v2.12.9-alpha2
v2.12.9-alpha3
v2.12.9-alpha4
v2.12.9-alpha5
v2.12.9-alpha6
v2.12.9-alpha7
v2.12.9-rc1
v2.13.0
v2.13.0-rc4
v2.13.1
v2.13.1-alpha1
v2.13.1-alpha2
v2.13.1-alpha3
v2.13.1-alpha4
v2.13.1-alpha5
v2.13.1-alpha6
v2.13.1-alpha7
v2.13.1-rc1
v2.13.2
v2.13.2-alpha1
v2.13.2-alpha2
v2.13.2-alpha3
v2.13.2-alpha4
v2.13.2-alpha5
v2.13.2-alpha6
v2.13.2-alpha7
v2.13.2-rc1
v2.13.2-rc2
v2.13.3
v2.13.3-alpha1
v2.13.3-alpha2
v2.13.3-alpha3
v2.13.3-alpha4
v2.13.3-alpha5
v2.13.3-alpha6
v2.13.3-rc1
v2.13.3-rc2
v2.13.3-rc3
v2.13.4
v2.13.4-alpha1
v2.13.4-alpha2
v2.13.4-alpha3
v2.13.4-alpha4
v2.13.4-alpha5
v2.13.4-rc1
v2.13.5
v2.13.5-alpha1
v2.13.5-alpha2
v2.13.5-alpha3
v2.13.5-alpha4
v2.13.5-alpha5
v2.13.5-alpha6
v2.13.5-alpha7
v2.13.5-rc1
v2.13.6
v2.13.6-alpha1
v2.13.6-alpha2
v2.13.6-alpha3
v2.13.6-alpha4
v2.13.6-alpha5
v2.13.6-alpha6
v2.13.6-rc1
v2.13.7-alpha1
v2.13.7-alpha2
v2.13.7-alpha3
v2.13.7-alpha4
v2.13.7-alpha5
v2.13.7-alpha6
v2.13.7-alpha7
v2.13.7-rc1
v2.14.0
v2.14.1
v2.14.1-alpha1
v2.14.1-alpha10
v2.14.1-alpha11
v2.14.1-alpha12
v2.14.1-alpha13
v2.14.1-alpha14
v2.14.1-alpha2
v2.14.1-alpha3
v2.14.1-alpha4
v2.14.1-alpha5
v2.14.1-alpha6
v2.14.1-alpha7
v2.14.1-alpha8
v2.14.1-alpha9
v2.14.1-rc1
v2.14.1-rc2
v2.14.2
v2.14.2-alpha1
v2.14.2-alpha2
v2.14.2-alpha3
v2.14.2-alpha4
v2.14.2-alpha5
v2.14.2-alpha6
v2.14.2-alpha7
v2.14.2-alpha8
v2.14.2-rc1
v2.14.3-alpha1
v2.14.3-alpha2
v2.14.3-alpha3
v2.14.3-alpha4
v2.14.3-alpha5
v2.14.3-alpha6
v2.14.3-rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44946.json"