{"id":"CVE-2026-25705","summary":"Rancher Extensions have arbitrary file access via path traversal","details":"A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to:  *  Overwrite Rancher binaries or configuration to inject code.\n\n  *  Write to /var/lib/rancher/ to tamper with cluster state.\n\n  *  If hostPath volumes are mounted, write to the host node filesystem.\n\n  *  Use this issue to chain with other attack vectors.","aliases":["GHSA-5v3h-x4wf-5c35"],"modified":"2026-05-18T05:58:36.911965596Z","published":"2026-05-13T08:00:46.097Z","database_specific":{"cwe_ids":["CWE-35"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25705.json","cna_assigner":"suse"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25705.json"},{"type":"ADVISORY","url":"https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25705"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25705"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rancher/rancher","events":[{"introduced":"19d8a9c03fde57ab691101dc90a17b92c55f09ad"},{"fixed":"9cf8959713c9152622ce8337c3242da7e44944c1"},{"introduced":"f94ac947f75e312f1ab9217d21b2770b48b734c8"},{"fixed":"8dbcbe437d063f86acf5da89ce686c2601a18010"},{"introduced":"8815e66bf2e4b528493cf11222f1a63f86305a9f"},{"fixed":"db2754edc35189187bb10c524601d3d62642ff9b"},{"introduced":"55b9e241c5577600197c77f4b33dc55e80a35dd0"},{"fixed":"656bed78295984ab2325c88fc63f3a5f208dd128"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"2.14.0"},{"fixed":"2.14.1"},{"introduced":"2.13.0"},{"fixed":"2.13.5"},{"introduced":"2.12.0"},{"fixed":"2.12.9"},{"introduced":"2.10.11"},{"fixed":"2.11.13"}]}}],"versions":["v2.14.1-rc2","v2.14.1-rc1","v2.13.5-rc1","v2.12.9-rc1","v2.14.1-alpha13","v2.14.1-alpha12","v2.12.9-alpha7","v2.13.5-alpha7","v2.14.1-alpha11","v2.14.1-alpha10","v2.14.1-alpha9","v2.14.1-alpha8","v2.13.5-alpha6","v2.12.9-alpha6","v2.14.1-alpha7","v2.14.1-alpha6","v2.14.1-alpha5","v2.13.5-alpha5","v2.12.9-alpha5","v2.12.9-alpha4","v2.13.5-alpha4","v2.14.1-alpha4","v2.12.9-alpha3","v2.13.5-alpha3","v2.14.1-alpha3","v2.13.5-alpha2","v2.12.9-alpha2","v2.12.9-alpha1","v2.13.5-alpha1","v2.14.1-alpha2","v2.14.1-alpha1","v2.12.8","v2.14.0","v2.13.4","v2.13.4-rc1","v2.12.8-rc1","v2.13.4-alpha5","v2.13.4-alpha4","v2.13.4-alpha3","v2.13.4-alpha2","v2.12.8-alpha2","v2.13.4-alpha1","v2.12.8-alpha1","v2.13.3","v2.12.7","v2.12.7-rc1","v2.13.3-rc3","v2.13.3-rc2","v2.13.3-rc1","v2.13.3-alpha6","v2.13.3-alpha5","v2.12.7-alpha3","v2.12.7-alpha2","v2.13.3-alpha4","v2.13.3-alpha3","v2.13.3-alpha2","v2.13.3-alpha1","v2.12.7-alpha1","v2.13.2-rc2","v2.13.2","v2.12.6-rc2","v2.12.6","v2.12.6-rc1","v2.13.2-rc1","v2.13.2-alpha7","v2.13.2-alpha6","v2.12.6-alpha2","v2.13.2-alpha5","v2.12.5","v2.12.6-alpha1","v2.13.2-alpha4","v2.13.2-alpha3","v2.13.2-alpha2","v2.13.2-alpha1","v2.12.4-hotfix-a3c0.1","v2.12.4","v2.13.1","v2.12.5-rc1","v2.13.1-rc1","v2.13.1-alpha7","v2.13.1-alpha6","v2.13.1-alpha5","v2.13.1-alpha4","v2.13.1-alpha3","v2.13.1-alpha2","v2.12.5-alpha2","v2.13.1-alpha1","v2.12.5-alpha1","v2.13.0-rc4","v2.13.0","v2.12.4-rc1","v2.12.4-alpha6","v2.12.4-alpha5","v2.12.4-alpha4","v2.12.4-alpha3","v2.12.4-alpha2","v2.12.4-alpha1","v2.12.3","v2.12.3-rc1","v2.12.3-alpha2","v2.12.2","v2.12.3-alpha1","v2.12.2-rc2","v2.12.2-rc1","v2.12.2-alpha5","v2.12.2-alpha4","v2.12.2-alpha3","v2.12.2-alpha2","v2.12.2-alpha1","v2.12.1","v2.12.1-rc1","v2.12.1-alpha4","v2.12.1-alpha3","v2.12.1-alpha2","v2.12.1-alpha1","v2.12.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25705.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"}]}