{
    "document": {
        "category": "csaf_security_advisory",
        "csaf_version": "2.0",
        "distribution": {
            "tlp": {
                "label": "WHITE"
            }
        },
        "lang": "nl",
        "notes": [
            {
                "category": "legal_disclaimer",
                "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
            },
            {
                "category": "description",
                "text": "Rancher Labs heeft kwetsbaarheden verholpen in Rancher versies 2.13.0 tot en met 2.13.7 en 2.14.0 tot en met 2.14.3.",
                "title": "Feiten"
            },
            {
                "category": "description",
                "text": "De eerste kwetsbaarheid betreft een SAML authenticatie replay probleem in de Assertion Consumer Service (ACS) handler in Rancher versies 2.14.0 tot, maar niet inclusief 2.14.3. De ACS handler dwingt het eenmalig gebruik van SAML assertions niet af, waardoor een aanvaller onderschepte assertions kan hergebruiken. Dit kan leiden tot man-in-the-middle aanvallen die de integriteit van het authenticatieproces aantasten. De tweede kwetsbaarheid zit in de legacy Project Role Template Binding reconciler in Rancher versies 2.13.0 tot en met 2.13.7 en 2.14.0 tot en met 2.14.3. Door het ontbreken van een opruimstap kunnen gebruikers Pod Security Admission permissies behouden die eigenlijk ingetrokken hadden moeten worden wanneer een beheerder deze permissies uit een RoleTemplate verwijdert. Dit komt doordat de reconciler permissies niet correct bijwerkt of verwijdert, waardoor ongeautoriseerde toegang kan blijven bestaan en gebruikers mogelijk verhoogde privileges behouden buiten hun toegestane scope.",
                "title": "Interpretaties"
            },
            {
                "category": "description",
                "text": "Rancher Labs heeft updates uitgebracht om deze kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
                "title": "Oplossingen"
            },
            {
                "category": "general",
                "text": "medium",
                "title": "Kans"
            },
            {
                "category": "general",
                "text": "high",
                "title": "Schade"
            },
            {
                "category": "general",
                "text": "Improper Preservation of Permissions",
                "title": "CWE-281"
            },
            {
                "category": "general",
                "text": "Authentication Bypass by Capture-replay",
                "title": "CWE-294"
            }
        ],
        "publisher": {
            "category": "coordinator",
            "contact_details": "cert@ncsc.nl",
            "name": "Nationaal Cyber Security Centrum",
            "namespace": "https://www.ncsc.nl/"
        },
        "references": [
            {
                "category": "external",
                "summary": "Reference",
                "url": "https://github.com/rancher/rancher/security/advisories/GHSA-c4rp-wgqc-mfhc"
            },
            {
                "category": "external",
                "summary": "Reference",
                "url": "https://github.com/rancher/rancher/security/advisories/GHSA-c5jm-xcmq-9j95"
            }
        ],
        "title": "Kwetsbaarheden verholpen in Rancher door Rancher Labs",
        "tracking": {
            "current_release_date": "2026-07-03T08:21:34.093014Z",
            "generator": {
                "date": "2025-08-04T16:30:00Z",
                "engine": {
                    "name": "V.A.",
                    "version": "1.3"
                }
            },
            "id": "NCSC-2026-0220",
            "initial_release_date": "2026-07-03T08:21:34.093014Z",
            "revision_history": [
                {
                    "date": "2026-07-03T08:21:34.093014Z",
                    "number": "1.0.0",
                    "summary": "Initiele versie"
                }
            ],
            "status": "final",
            "version": "1.0.0"
        }
    },
    "product_tree": {
        "branches": [
            {
                "branches": [
                    {
                        "branches": [
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/*",
                                "product": {
                                    "name": "vers:unknown/*",
                                    "product_id": "CSAFPID-1"
                                }
                            }
                        ],
                        "category": "product_name",
                        "name": "Rancher"
                    }
                ],
                "category": "vendor",
                "name": "Rancher"
            }
        ]
    },
    "vulnerabilities": [
        {
            "cve": "CVE-2026-44946",
            "cwe": {
                "id": "CWE-294",
                "name": "Authentication Bypass by Capture-replay"
            },
            "notes": [
                {
                    "category": "other",
                    "text": "Authentication Bypass by Capture-replay",
                    "title": "CWE-294"
                },
                {
                    "category": "description",
                    "text": "A SAML authentication replay vulnerability in Rancher's ACS handler allowed potential man-in-the-middle attacks by failing to enforce one-time use of SAML assertions in versions 2.14.0 to before 2.14.3.",
                    "title": "Summary"
                },
                {
                    "category": "general",
                    "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
                    "title": "CVSSV4"
                }
            ],
            "product_status": {
                "known_affected": [
                    "CSAFPID-1"
                ]
            },
            "references": [
                {
                    "category": "self",
                    "summary": "CVE-2026-44946 | NCSC-NL Website",
                    "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-44946.json"
                }
            ],
            "scores": [
                {
                    "cvss_v3": {
                        "version": "3.1",
                        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                        "baseScore": 7.4,
                        "baseSeverity": "HIGH"
                    },
                    "products": [
                        "CSAFPID-1"
                    ]
                }
            ],
            "title": "CVE-2026-44946"
        },
        {
            "cve": "CVE-2026-44947",
            "cwe": {
                "id": "CWE-281",
                "name": "Improper Preservation of Permissions"
            },
            "notes": [
                {
                    "category": "other",
                    "text": "Improper Preservation of Permissions",
                    "title": "CWE-281"
                },
                {
                    "category": "description",
                    "text": "A missing clean-up in the legacy Project Role Template Binding reconciler in Rancher versions 2.13.0 to 2.13.7 and 2.14.0 to 2.14.3 allowed users to retain unauthorized Pod Security Admission permissions after removal from a RoleTemplate.",
                    "title": "Summary"
                },
                {
                    "category": "general",
                    "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
                    "title": "CVSSV4"
                }
            ],
            "product_status": {
                "known_affected": [
                    "CSAFPID-1"
                ]
            },
            "references": [
                {
                    "category": "self",
                    "summary": "CVE-2026-44947 | NCSC-NL Website",
                    "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-44947.json"
                }
            ],
            "title": "CVE-2026-44947"
        }
    ]
}