FixVibe
Research notecritical

Rancher Command Injection via Unsanitized YAML Parameter (CVE-2026-44939)

A critical command injection vulnerability (CVE-2026-44939) in Rancher versions 2.14.0 and 2.14.1 allows remote code execution. The flaw exists in the processing of unsanitized YAML parameters, potentially leading to full system compromise. Users should upgrade to version 2.14.2.

CVE-2026-44939GHSA-mhc6-2gfq-xx62CWE-95

A critical command injection vulnerability has been identified in Rancher, an open-source multi-cluster management platform [S2]. The vulnerability, tracked as CVE-2026-44939, allows an attacker to execute arbitrary commands by providing a specially crafted YAML parameter that is not properly sanitized before being processed by the system [S1][S3].

Impact

Successful exploitation of this vulnerability can lead to full system compromise [S2]. Since Rancher often runs with high privileges to manage Kubernetes clusters, an attacker could gain unauthorized access to sensitive cluster data, modify configurations, or disrupt managed services [S2]. The vulnerability has been assigned a CVSS score of 9.6, reflecting its critical nature [S3].

Root Cause

The root cause is a failure to sanitize user-supplied input within YAML configurations [S2]. Specifically, certain parameters within the YAML structure are passed to underlying system shells or execution environments without adequate validation or escaping, leading to CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) [S1].

Affected Versions

  • Rancher versions >= 2.14.0 and < 2.14.2 [S3].

Fixes and Mitigations

Users should upgrade to Rancher version 2.14.2 or later to resolve this issue [S3]. If an immediate upgrade is not possible, ensure that access to the Rancher API and UI is restricted to trusted users and that any YAML-based configurations are strictly audited before application [S2].

How FixVibe could detect it

FixVibe could detect this vulnerability through its repository scanning capabilities [S3]. By analyzing Go-based Rancher deployments and checking the go.mod or version manifests for affected versions (2.14.0 - 2.14.1), FixVibe can alert users to the presence of the vulnerable software [S3].

Rancher Command Injection via Unsanitized YAML Parameter (CVE-2026-44939) β€” FixVibe research Β· FixVibe