CVE-2023-32199: Rancher user retains access to clusters despite Global Role removal

October 24, 2025 (updated October 29, 2025)

A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters. This only affects custom Global Roles that:

Have a * on * in * rule for resources
Have a * on * rule for non-resource URLs

For example

apiVersion: management.cattle.io/v3
kind: GlobalRole
metadata:
name: custom-admin
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'

Specifically:

When a user is bound to a custom admin GlobalRole, a corresponding ClusterRoleBinding is created on all clusters that binds them to the cluster-admin ClusterRole.
When such a GlobalRole or the GlobalRoleBinding (e.g., when the user is unassigned from this role in UI) is deleted, the ClusterRoleBinding that binds them to the cluster-admin ClusterRole stays behind.

This issue allows a user to continue having access to clusters after they have been unassigned from the custom admin global role or the role has been deleted.

Please consult the associated MITRE ATT&CK - Technique - Account Access Removal for further information about this category of attack.

References

Code Behaviors & Features

Detect and mitigate CVE-2023-32199 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →