What is GHSA-5v3h-x4wf-5c35?

GHSA-5v3h-x4wf-5c35 is a security advisory published by GitHub Security Advisories with High severity. Rancher Extensions have arbitrary file access via path traversal

Which CVE IDs does GHSA-5v3h-x4wf-5c35 cover?

GHSA-5v3h-x4wf-5c35 covers the following CVE IDs: CVE-2026-25705. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-5v3h-x4wf-5c35?

GHSA-5v3h-x4wf-5c35 has a CVSS v3 base score of 8.4, published by GitHub Security Advisories.

Which products are affected by GHSA-5v3h-x4wf-5c35?

GHSA-5v3h-x4wf-5c35 affects 4 products, including: go/github.com/rancher/rancher:\u003e= 2.14.0, \u003c 2.14.1; go/github.com/rancher/rancher:\u003e= 2.13.0, \u003c 2.13.5; go/github.com/rancher/rancher:\u003e= 2.12.0, \u003c 2.12.9; go/github.com/rancher/rancher:\u003e= 2.10.11, \u003c 2.11.13.

GHSA-5v3h-x4wf-5c35HighCVSS 8.4

Rancher Extensions have arbitrary file access via path traversal

Vendor

GitHub Security Advisories

Published

May 7, 2026

Last Modified

May 16, 2026

🔗 CVE IDs covered (1)

CVE-2026-25705 →

📋 Description

### Impact A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: - Overwrite Rancher binaries or configuration to inject code. - Write to `/var/lib/rancher/` to tamper with cluster state. - If `hostPath` volumes are mounted, write to the host node filesystem. - Use this issue to chain with other attack vectors. By default only the administrator can deploy UI extensions, unless permissions are granted to other users. It's always recommended to only install extensions that come from sources trusted by the user. Please consult the associated [MITRE CAPEC-126 - Technique - Path Traversal](https://capec.mitre.org/data/definitions/126.html) for further information about this category of attack. ### Patches This vulnerability is addressed by ensuring that: - The file defined by the UI Plugin CR's `compressedEndpoint` has to be created inside the cache directory and cannot contain `../`. If that is not possible, the installation will fail and the file won't be created. - The icons referenced by Cluster Repos' `index.yaml` file always resolves to a file inside the repository directory. Patched versions of Rancher include releases v2.14.1, v2.13.5, v2.12.9, v2.11.13. ### Workarounds There is no workaround. The user must be careful about which UI Plugins they install. ### Resources If there are any questions or comments about this advisory: - Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries. - Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository. - Verify with the [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).

🎯 Affected products4

go/github.com/rancher/rancher:>= 2.14.0, < 2.14.1
go/github.com/rancher/rancher:>= 2.13.0, < 2.13.5
go/github.com/rancher/rancher:>= 2.12.0, < 2.12.9
go/github.com/rancher/rancher:>= 2.10.11, < 2.11.13

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products4

🔗 References (4)