External risk intelligence

Rancher SAML Assertion Replay Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.5)

CVE-2026-44946

Rancher is a management platform often deployed as a centralized, internet-reachable gateway or administrative portal to manage Kubernetes clusters, making its authentication surfaces, such as SAML assertion handlers, commonly exposed to external network traffic in standard configurations.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in Rancher's SAML authentication process. The issue involves how authentication responses are handled, potentially allowing for unauthorized access if exploited. The primary concern is to confirm if this specific vulnerability affects our deployed Rancher environments.

  • Authentication flaw could allow unauthorized access.
  • Understand potential for credential misuse.
  • Confirm relevance and exposure of Rancher systems.

Attack Path

How an attacker could exploit the issue

An attacker could intercept and reuse a SAML assertion to impersonate a user, gaining unauthorized access to Rancher. This could occur if the attacker has network access and can position themselves between the user and the Rancher server. The vulnerability in the way Rancher handles SAML assertions allows for this replay attack, potentially leading to significant compromise of the managed environment.

  • Network access required.
  • Replay of SAML assertions.
  • Compromise of Rancher access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to replay SAML assertions, potentially enabling unauthorized access to Rancher when specific conditions related to the Assertion Consumer Service handler are met.

  • Rancher authentication and access.
  • Replay of SAML assertions.
  • Unauthorized system access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the SAML authentication process in Rancher, potentially allowing for man-in-the-middle attacks. The first step for technical leaders and system owners is to confirm the presence and criticality of Rancher instances within their environment, identify the platform or infrastructure teams responsible for its management, and then assess exposure before planning remediation.

  • Platform or infrastructure teams should own.
  • Confirm Rancher instance reachability and criticality.
  • Plan risk-based remediation and vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Rancher and how is it used?

Rancher is a container management platform used to deploy, manage, and secure Kubernetes clusters across various environments. It acts as a centralized administrative interface where teams interact with multiple clusters through a unified dashboard. Because it handles sensitive administrative tasks and cluster orchestration, it requires robust authentication mechanisms to control who can access the management plane and the infrastructure it oversees.

What does CVE-2026-44946 mean for SAML authentication?

This vulnerability, classified as CWE-294 (Authentication Bypass by Capture-Replay), involves a failure in the Assertion Consumer Service (ACS) handler. Normally, SAML assertions should be valid for only one use. In this case, the system fails to enforce that one-time use requirement. Consequently, an intercepted authentication token can be replayed by an unauthorized party to impersonate a legitimate user and gain access to the Rancher management interface.

How can an attacker trigger this SAML replay bug?

An attacker needs to be positioned in the network path between the user and the Rancher server to intercept a valid SAML assertion. Once captured, the attacker can submit that same assertion to the ACS handler to authenticate as the victim. This bug is not triggered by standard user interactions; it requires the specific condition of intercepting a valid assertion and successfully re-sending it before the session context is invalidated or the assertion naturally expires.

Is my Rancher instance relevant to this vulnerability?

According to Halo Surface Signal, Rancher is often deployed as a centralized, internet-reachable gateway or administrative portal. If your instance is configured to be accessible from the public internet, it falls into a higher risk category. Even if your instance is internal, it remains relevant if users rely on SAML for authentication, as the risk exists wherever the ACS handler can be reached and provided with a intercepted assertion.

How do I start addressing this Rancher vulnerability?

Your first priority is to locate all active Rancher deployments and verify their version numbers to see if they fall within the 2.14.0 to 2.14.3 range. Coordinate with the platform or infrastructure teams responsible for these instances to determine which are internet-facing versus internal. Once you have an inventory of the impacted systems, prepare to apply the vendor-provided updates to secure your authentication process.

References