CVE-2024-58260 HIGH

CVE-2024-58260: Rancher update on users can deny the service to the admin

Vendor Suse

Product rancher

Weakness CWE-863 · Incorrect authorization

Published October 2, 2025

Last update October 2, 2025

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H

What the vulnerability does

01Description

A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts.

Key dates

02Disclosure timeline

October 2, 2025 CVE published

October 2, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-58260 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2024-58260

CWE CWE-863

CVSS 7.6 / HIGH

Affected versions

Vendor Suse

Product rancher

Affected ≥ 2.12.0 and < 2.12.2

Vendor Suse

Product rancher

Affected ≥ 2.11.0 and < 2.11.6

Vendor Suse

Product rancher

Affected ≥ 2.10.0 and < 2.10.10

Vendor Suse

Product rancher

Affected ≥ 2.9.0 and < 2.9.12

CVE-2024-58260: Rancher update on users can deny the service to the admin

01Description

02Disclosure timeline

03References

04Related CVE