CVE-2023-32199: 
Schwachstellenanalyse und -minderung

A vulnerability (CVE-2023-32199) was identified in Rancher Manager, affecting versions 2.12.0-2.12.3, 2.11.0-2.11.7, and versions 2.10.0 and 2.9.0. The vulnerability allows users to retain administrative access to clusters even after their custom GlobalRole or corresponding binding has been removed. This vulnerability was discovered and disclosed in October 2025 (GitHub Advisory).

The vulnerability specifically affects custom Global Roles that have '' on '' in '' rule for resources and '' on '*' rule for non-resource URLs. When a user is bound to a custom admin GlobalRole, a corresponding ClusterRoleBinding is created on all clusters that binds them to the cluster-admin ClusterRole. The issue occurs when such a GlobalRole or the GlobalRoleBinding is deleted, as the ClusterRoleBinding that grants cluster-admin privileges remains active. The vulnerability has been assigned a CVSS score of 4.3 (Moderate) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L (GitHub Advisory).

The vulnerability allows users to maintain access to clusters after their administrative privileges have been revoked through either unassignment from the custom admin global role or deletion of the role itself. This creates a security risk where users can continue to perform administrative actions on clusters despite having their permissions officially removed (GitHub Advisory).

The vulnerability has been patched in Rancher versions v2.12.3 and v2.11.7. The fix removes corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings are marked with the annotation 'authz.cluster.cattle.io/admin-globalrole-missing=true' and should be deleted manually. For deployments that cannot be upgraded, users are advised to manually identify and remove the orphaned ClusterRoleBindings (GitHub Advisory).