CVE-2025-23389: Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login
(updated )
A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login.
References
- bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23389
- github.com/advisories/GHSA-mq23-vvg7-xfm4
- github.com/rancher/rancher
- github.com/rancher/rancher/commit/4b885322eaf9995a1054bb46e019841653dc0d10
- github.com/rancher/rancher/commit/cda77b743788feb8df8aedf9fd409ed0916a8723
- github.com/rancher/rancher/commit/f36b896a99441985a1658e1b8c504d77e52fee4f
- github.com/rancher/rancher/pull/48964
- github.com/rancher/rancher/pull/49030
- github.com/rancher/rancher/pull/49031
- github.com/rancher/rancher/releases/tag/v2.10.3
- github.com/rancher/rancher/releases/tag/v2.8.13
- github.com/rancher/rancher/releases/tag/v2.9.7
- github.com/rancher/rancher/security/advisories/GHSA-mq23-vvg7-xfm4
- nvd.nist.gov/vuln/detail/CVE-2025-23389
- pkg.go.dev/vuln/GO-2025-3490
Code Behaviors & Features
Detect and mitigate CVE-2025-23389 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →