PatchSiren cyber security CVE debrief

CVE-2026-44543 rancher CVE debrief

A high-severity vulnerability in Rancher Local Path Provisioner versions prior to 0.0.36 allows privilege escalation through ConfigMap template manipulation. The provisioner's helperPod.yaml template, stored in the local-path-config ConfigMap within the local-path-storage namespace, lacks sufficient validation before use during PVC provisioning and cleanup operations. An attacker with permissions to edit this ConfigMap can inject malicious configurations including privileged security contexts, hostPath volume mounts, and elevated Linux capabilities. When triggered by PVC operations, these modifications result in HelperPods executing with root filesystem access on target nodes, enabling host-level compromise including sensitive file access, ServiceAccount token extraction from co-located pods, cross-tenant data access, and host filesystem modification. The vulnerability carries a CVSS 3.1 score of 8.7 (High) with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N, reflecting network attack vector, low complexity, high privileges required, no user interaction, changed scope, and high impacts to confidentiality and integrity. The issue was published on May 28, 2026, and is classified under CWE-269 (Improper Privilege Management). Remediation requires upgrading to version 0.0.36 or later.

Vendor: rancher
Product: local-path-provisioner
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-28
Advisory published: 2026-05-28
Advisory updated: 2026-05-28

Who should care

Kubernetes platform operators, cluster administrators, security teams managing multi-tenant environments, and organizations using Rancher Local Path Provisioner for local storage provisioning. Organizations with delegated namespace administration or developers with elevated ConfigMap permissions face elevated risk. Teams subject to container security compliance requirements or running sensitive workloads on shared nodes should prioritize assessment.

Technical summary

The Local Path Provisioner loads the helperPod.yaml template from the local-path-config ConfigMap without sufficient validation of security-sensitive fields. The provisioner creates HelperPods during PVC provisioning and cleanup using this template. An attacker with ConfigMap edit permissions can inject privileged: true security contexts, hostPath volume mounts targeting /, and dangerous Linux capabilities. When PVC operations trigger HelperPod creation, the attacker-controlled configuration executes with full host access. The attack requires existing permissions within the cluster (PR:H) but achieves changed-scope impact (S:C) affecting node-level security boundaries. The vulnerability demonstrates insufficient input validation in infrastructure components that dynamically generate workload specifications from user-modifiable configuration.

Defensive priority

HIGH

Recommended defensive actions

Upgrade Rancher Local Path Provisioner to version 0.0.36 or later to remediate this vulnerability
Restrict RBAC permissions to edit ConfigMaps in the local-path-storage namespace to only highly trusted administrative principals
Implement admission control policies to validate helperPod.yaml templates for prohibited securityContext fields including privileged: true, dangerous capabilities, and hostPath volumes
Enable audit logging for ConfigMap modifications in the local-path-storage namespace to detect potential template tampering
Review existing local-path-config ConfigMap contents for unauthorized modifications to securityContext, volumes, or container specifications
Consider network policies to restrict egress from HelperPods to limit exfiltration potential if compromise occurs
Implement pod security standards or OPA/Gatekeeper policies preventing privileged pod creation in the local-path-storage namespace

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details confirmed through GitHub Security Advisory GHSA-7fxv-8wr2-mfc4. CVSS vector and scoring per NVD. CWE classification from [email protected]. Fix version 0.0.36 explicitly stated in CVE description.

Official resources

2026-05-28