{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-41053","assignerOrgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","state":"PUBLISHED","assignerShortName":"suse","dateReserved":"2026-04-16T13:37:50.680Z","datePublished":"2026-06-30T11:38:25.060Z","dateUpdated":"2026-07-01T03:55:47.962Z"},"containers":{"cna":{"providerMetadata":{"orgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","shortName":"suse","dateUpdated":"2026-06-30T11:38:25.060Z"},"title":"Over-inclusive team membership expansion in GitHub App authentication provider for Rancher","datePublic":"2026-05-28T11:31:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-303","description":"CWE-303 Incorrect implementation of authentication algorithm","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Escalation"}]}],"affected":[{"vendor":"SUSE","product":"Rancher","packageName":"Rancher","repo":"https://github.com/rancher/rancher/","modules":["github auth provider"],"versions":[{"status":"affected","version":"2.14.0","lessThan":"2.14.2","versionType":"semver"},{"status":"affected","version":"2.13.0","lessThan":"2.13.6","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2.","supportingMedia":[{"type":"text/html","base64":false,"value":"Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2."}]}],"references":[{"url":"https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":8.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}],"source":{"defect":["secsys_codex@163.com"],"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-30T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-41053"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-01T03:55:47.962Z"}}]}}