Affected by GO-2024-2535
and 16 other vulnerabilities
GO-2024-2535: Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher
GO-2024-2537: Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher
GO-2024-2760: Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher
GO-2024-2761: Rancher Login Parameter Can Be Edited in github.com/rancher/rancher
GO-2024-2771: Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher
GO-2024-2929: Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher
GO-2024-2931: Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher
GO-2024-2932: Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher
GO-2024-3161: Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher
GO-2024-3220: Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher
GO-2024-3221: Rancher Remote Code Execution via Cluster/Node Drivers in github.com/rancher/rancher
GO-2024-3223: Exposure of vSphere's CPI and CSI credentials in Rancher in github.com/rancher/rancher
GO-2024-3280: Rancher Helm Applications may have sensitive values leaked in github.com/rancher/rancher
GO-2025-3391: Rancher UI has Stored Cross-site Scripting vulnerability in github.com/rancher/rancher
GO-2025-3489: Rancher's SAML-based login via CLI can be denied by unauthenticated users in github.com/rancher/rancher
GO-2025-3490: Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login in github.com/rancher/rancher
GO-2025-3491: Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API in github.com/rancher/rancher
RegisterCluster updates the pod security policy if the pod security policy template default for this cluster has been
updated, then resyncs all service accounts in this namespace.
RegisterNamespace resyncs the current namespace's service accounts. This is necessary because service accounts
determine their parent project via an annotation on the namespace, and the namespace is not always present when the
service account handler is triggered. So we have this handler to retrigger the serviceaccount handler once the
annotation has been added.
RegisterProject updates the pod security policy for this project if it has been changed. Also resync service
accounts so they pick up the change. If no policy exists then exits without doing anything.
Each namespace has a pod security policy assigned to a role if:
a. its project has a PSPT assigned to it
OR
b. its cluster has a default PSPT assigned to it
PSPs are bound to their associated service accounts via a cluster role binding
RegisterTemplate propagates updates to pod security policy templates to their associated pod security policies.
Ignores pod security policy templates not assigned to a cluster or project.
Affected by 
Documentation
¶
Source Files