{"id":"CVE-2026-44946","summary":"SAML Authentication Replay in Rancher","details":"A SAML authentication replay vulnerability in Rancher's Assertion\n Consumer Service (ACS) handler did not enforce \none-time use of SAML assertion, potentially allowing person in the middle attacks against Rancher, affecting Rancher 2.14.0 before 2.14.3,","aliases":["GHSA-c5jm-xcmq-9j95"],"modified":"2026-07-15T01:49:05.744046825Z","published":"2026-06-30T12:14:54.269Z","database_specific":{"cwe_ids":["CWE-294"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44946.json","cna_assigner":"suse"},"references":[{"type":"WEB","url":"https://github.com/rancher/rancher/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44946.json"},{"type":"ADVISORY","url":"https://github.com/rancher/rancher/security/advisories/GHSA-c5jm-xcmq-9j95"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44946"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rancher/rancher","events":[{"introduced":"4b8ab8c48d681f77065bf25e1fa502c652b94465"},{"fixed":"9127393c926e2e49c549f3ad6179360779d456ad"},{"introduced":"8815e66bf2e4b528493cf11222f1a63f86305a9f"},{"fixed":"e2755334ece402f2f453f2f113e57785a8b9b42a"},{"introduced":"f94ac947f75e312f1ab9217d21b2770b48b734c8"},{"fixed":"81dc2c4ed99c5d478f01ab1a6d4def772df349c6"},{"introduced":"19d8a9c03fde57ab691101dc90a17b92c55f09ad"},{"fixed":"4603afd276483411c06a2b716eca38931b564e48"}],"database_specific":{"cpe":"cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.11.0"},{"fixed":"2.11.15"},{"introduced":"2.12.0"},{"fixed":"2.12.11"},{"introduced":"2.13.0"},{"fixed":"2.13.7"},{"introduced":"2.14.0"},{"fixed":"2.14.3"}],"source":"CPE_RANGE"}}],"versions":["v2.13.3","v2.12.11-rc1","v2.14.3-rc1","v2.11.15-rc1","v2.11.15-alpha4","v2.13.7-rc1","v2.12.11-alpha5","v2.14.2","v2.14.3-alpha6","v2.13.7-alpha7","v2.11.15-alpha3","v2.12.11-alpha4","v2.13.7-alpha6","v2.11.15-alpha2","v2.13.7-alpha5","v2.12.11-alpha3","v2.14.3-alpha5","v2.13.7-alpha4","v2.14.3-alpha4","v2.11.15-alpha1","v2.12.11-alpha2","v2.12.11-alpha1","v2.14.3-alpha3","v2.13.7-alpha3","v2.14.3-alpha2","v2.13.7-alpha2","v2.13.7-alpha1","v2.14.3-alpha1","v2.11.14","v2.12.10","v2.13.6","v2.14.2-rc1","v2.12.10-rc1","v2.11.14-rc1","v2.13.6-rc1","v2.14.2-alpha8","v2.13.6-alpha6","v2.14.2-alpha7","v2.11.14-alpha1","v2.14.2-alpha6","v2.12.10-alpha5","v2.12.10-alpha4","v2.13.6-alpha5","v2.14.2-alpha5","v2.14.2-alpha4","v2.14.1-alpha14","v2.12.10-alpha3","v2.13.6-alpha4","v2.14.2-alpha3","v2.13.6-alpha3","v2.13.6-alpha2","v2.12.10-alpha2","v2.14.2-alpha2","v2.12.10-alpha1","v2.13.6-alpha1","v2.14.2-alpha1","v2.14.1","v2.11.13","v2.13.5","v2.12.9","v2.14.1-rc2","v2.14.1-rc1","v2.13.5-rc1","v2.12.9-rc1","v2.14.1-alpha13","v2.14.1-alpha12","v2.11.13-rc1","v2.11.13-alpha6","v2.12.9-alpha7","v2.13.5-alpha7","v2.14.1-alpha11","v2.14.1-alpha10","v2.14.1-alpha9","v2.14.1-alpha8","v2.11.13-alpha5","v2.13.5-alpha6","v2.12.9-alpha6","v2.14.1-alpha7","v2.14.1-alpha6","v2.14.1-alpha5","v2.13.5-alpha5","v2.12.9-alpha5","v2.11.13-alpha4","v2.11.13-alpha3","v2.11.13-alpha2","v2.12.9-alpha4","v2.13.5-alpha4","v2.14.1-alpha4","v2.12.9-alpha3","v2.13.5-alpha3","v2.14.1-alpha3","v2.11.13-alpha1","v2.13.5-alpha2","v2.12.9-alpha2","v2.12.9-alpha1","v2.13.5-alpha1","v2.14.1-alpha2","v2.14.1-alpha1","v2.11.12","v2.12.8","v2.14.0","v2.13.4","v2.11.12-rc1","v2.13.4-rc1","v2.12.8-rc1","v2.13.4-alpha5","v2.13.4-alpha4","v2.13.4-alpha3","v2.13.4-alpha2","v2.12.8-alpha2","v2.11.12-alpha1","v2.13.4-alpha1","v2.12.8-alpha1","v2.12.7","v2.11.11","v2.12.7-rc1","v2.11.11-rc1","v2.13.3-rc3","v2.13.3-rc2","v2.13.3-rc1","v2.13.3-alpha6","v2.13.3-alpha5","v2.12.7-alpha3","v2.11.11-alpha2","v2.12.7-alpha2","v2.13.3-alpha4","v2.13.3-alpha3","v2.13.3-alpha2","v2.11.11-alpha1","v2.13.3-alpha1","v2.12.7-alpha1","v2.11.10-rc2","v2.11.10","v2.13.2-rc2","v2.13.2","v2.12.6-rc2","v2.12.6","v2.11.10-rc1","v2.12.6-rc1","v2.13.2-rc1","v2.13.2-alpha7","v2.13.2-alpha6","v2.12.6-alpha2","v2.13.2-alpha5","v2.11.10-alpha1","v2.12.5","v2.12.6-alpha1","v2.11.9-alpha2","v2.13.2-alpha4","v2.13.2-alpha3","v2.13.2-alpha2","v2.13.2-alpha1","v2.12.4-hotfix-a3c0.1","v2.12.4","v2.11.9","v2.13.1","v2.12.5-rc1","v2.11.9-rc1","v2.13.1-rc1","v2.13.1-alpha7","v2.13.1-alpha6","v2.13.1-alpha5","v2.13.1-alpha4","v2.11.9-alpha1","v2.13.1-alpha3","v2.13.1-alpha2","v2.12.5-alpha2","v2.13.1-alpha1","v2.12.5-alpha1","v2.11.8","v2.13.0-rc4","v2.13.0","v2.12.4-rc1","v2.11.8-rc1","v2.11.8-alpha5","v2.11.8-alpha4","v2.12.4-alpha6","v2.11.8-alpha3","v2.12.4-alpha5","v2.11.8-alpha2","v2.12.4-alpha4","v2.12.4-alpha3","v2.11.8-alpha1","v2.12.4-alpha2","v2.12.4-alpha1","v2.12.3","v2.11.7","v2.11.7-rc2","v2.11.7-rc1","v2.12.3-rc1","v2.11.7-alpha2","v2.12.3-alpha2","v2.11.7-alpha1","v2.11.6","v2.12.2","v2.12.3-alpha1","v2.11.1","v2.11.6-rc1","v2.12.2-rc2","v2.12.2-rc1","v2.11.6-alpha4","v2.12.2-alpha5","v2.12.2-alpha4","v2.12.2-alpha3","v2.11.6-alpha3","v2.12.2-alpha2","v2.11.6-alpha2","v2.11.6-alpha1","v2.12.2-alpha1","v2.12.1","v2.11.5","v2.12.1-rc1","v2.11.5-rc1","v2.11.5-alpha3","v2.12.1-alpha4","v2.11.5-alpha2","v2.12.1-alpha3","v2.12.1-alpha2","v2.12.1-alpha1","v2.11.5-alpha1","v2.11.4","v2.11.3","v2.12.0","v2.11.4-rc1","v2.11.4-alpha5","v2.11.4-alpha4","v2.11.4-alpha3","v2.11.4-alpha2","v2.11.4-alpha1","v2.11.3-rc1","v2.11.3-alpha3","v2.11.3-alpha2","v2.11.3-alpha1","v2.11.2","v2.11.2-rc2","v2.11.2-rc1","v2.11.2-alpha4","v2.11.2-alpha3","v2.11.2-alpha2","v2.11.2-alpha1","v2.11.1-rc2","v2.11.1-rc1","v2.11.1-alpha3","v2.11.1-alpha2","v2.11.1-alpha1","v2.11.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44946.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H"}]}