CVE-2026-25705: Rancher Extensions have arbitrary file access via path traversal
A vulnerability has been identified in Rancher’s Extensions where malicious code can be injected in Rancher through a path traversal in the compressedEndpoint field inside a UIPlugin deployment. A malicious UI extension could abuse that to:
- Overwrite Rancher binaries or configuration to inject code.
- Write to
/var/lib/rancher/to tamper with cluster state. - If
hostPathvolumes are mounted, write to the host node filesystem. - Use this issue to chain with other attack vectors.
By default only the administrator can deploy UI extensions, unless permissions are granted to other users. It’s always recommended to only install extensions that come from sources trusted by the user.
Please consult the associated MITRE CAPEC-126 - Technique - Path Traversal for further information about this category of attack.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-25705 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →