CVE-2024-58260: Rancher update on users can deny the service to the admin

September 26, 2025 (updated October 23, 2025)

A vulnerability has been identified within Rancher Manager where a missing server-side validation on the .username field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. Specifically:

Username takeover: A user with permission to update another user’s resource can set its .username to “admin”, preventing both the legitimate admin and the affected user from logging in, as Rancher enforces uniqueness at login time.
Account lockout: A user with update permissions on the admin account can change the admin’s username, effectively blocking administrative access to the Rancher UI.

This issue enables a malicious or compromised account with elevated update privileges on User resources to disrupt platform administration and user authentication.

References

Code Behaviors & Features

Detect and mitigate CVE-2024-58260 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →