CVE-2023-22648: Rancher's Azure AD permission changes are not reflected on active sessions

March 3, 2026

A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group, thus retaining their access to Rancher instead of losing it.

References

bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648
github.com/advisories/GHSA-vf6j-6739-78m8
github.com/rancher/rancher
github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8
nvd.nist.gov/vuln/detail/CVE-2023-22648

Code Behaviors & Features

Detect and mitigate CVE-2023-22648 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →