Home

Description

A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the –cacert flag results in the CLI attempting to fetch CA certificates stored in Rancher’s setting cacerts.

PUBLISHED Reserved 2025-12-09 | Published 2026-02-25 | Updated 2026-02-26 | Assigner suse




HIGH: 8.3CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-295: Improper Certificate Validation

Product status

Default status
unaffected

Any version before 0.0.0-20260129092249-bb0625fd1896
affected

2.13.0 (semver) before 2.13.2
affected

2.12.0 (semver) before 2.12.6
affected

2.11.0 (semver) before 2.11.10
affected

2.10.0 (semver) before 2.10.11
affected

References

bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67601

github.com/...ancher/security/advisories/GHSA-mc24-7m59-4q5p

cve.org (CVE-2025-67601)

nvd.nist.gov (CVE-2025-67601)

Download JSON