4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-32199

GHSA ID

GHSA-j4vr-pcmw-hx59

EPSS Score

CWE

CWE-281

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-32199

CVE-2023-32199: Rancher user retains access to clusters despite Global Role removal

Impact

A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters. This only affects custom Global Roles that:

Have a * on * in * rule for resources
Have a * on * rule for non-resource URLs

For example

apiVersion: management.cattle.io/v3
kind: GlobalRole
metadata:
  name: custom-admin
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - '*'
  - nonResourceURLs:
      - '*'
    verbs:
      - '*'

Specifically:

When a user is bound to a custom admin GlobalRole, a corresponding ClusterRoleBinding is created on all clusters that binds them to the cluster-admin ClusterRole.
When such a GlobalRole or the GlobalRoleBinding (e.g., when the user is unassigned from this role in UI) is deleted, the ClusterRoleBinding that binds them to the cluster-admin ClusterRole stays behind.

This issue allows a user to continue having access to clusters after they have been unassigned from the custom admin global role or the role has been deleted.

Please consult the associated MITRE ATT&CK - Technique - Account Access Removal for further information about this category of attack.

Patches

This vulnerability is addressed by removing the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings are marked with the annotation authz.cluster.cattle.io/admin-globalrole-missing=true and should be deleted manually.

Orphaned ClusterRoleBindings can be listed with:

kubectl get clusterrolebinding -o jsonpath='{range .items[?(@.metadata.annotations.authz\.cluster\.cattle\.io/admin-globalrole-missing=="true")]}{.metadata.name}{"\n"}{end}'

Patched versions of Rancher include releases v2.12.3, v2.11.7.

Complications with the restricted admin functionality prevented the patches from being included in v2.10 and v2.9.

Workarounds

If the deployment can't be upgraded to a fixed version, users are advised to manually identify the orphaned ClusterRoleBindings and remove them.

References

If you have any questions or comments about this advisory:

Contact the SUSE Rancher Security team for security related inquiries.
Open an issue in the Rancher repository.
Verify with our support matrix and product support lifecycle.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-32199

GHSA ID

GHSA-j4vr-pcmw-hx59

EPSS Score

CWE

CWE-281

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/rancher/rancher	go	< 0.0.0-20251014212116-7faa74a968c2	0.0.0-20251014212116-7faa74a968c2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2023-32199, allows a Rancher user to retain administrative access to clusters even after the GlobalRole or GlobalRoleBinding granting this access has been removed. The root cause is the persistence of ClusterRoleBindings that grant cluster-admin privileges.

My analysis of the patch identified three key functions involved in this process:

rbac.grbHandler.sync: This is the most critical function related to the vulnerability. As the controller for GlobalRoleBindings, it is responsible for managing their lifecycle. The code explicitly ignores deletion events (obj.DeletionTimestamp != nil), which means it fails to trigger the necessary cleanup of the associated ClusterRoleBinding. This omission is the direct cause of the orphaned resource.
rbac.grbHandler.ensureClusterAdminBinding and rbac.clusterHandler.doSync: These two functions are responsible for creating the ClusterRoleBindings in the first place. They are considered part of the vulnerable process because they create resources without a proper lifecycle management mechanism, such as an owner reference, that would ensure they are garbage collected when the parent GlobalRoleBinding is deleted. The patch modifies these functions to add annotations, which allows a new, separate cleanup controller to identify and manage these bindings, confirming they are the source of the orphaned resources.

The patch introduces a new background cleaner (crbCleaner) to periodically scan for and mark orphaned ClusterRoleBindings that were created by the vulnerable functions. This confirms that the original controllers lacked the necessary cleanup logic. Therefore, any runtime profile taken during the setup of the vulnerable state would show calls to ensureClusterAdminBinding or doSync, and the failure to clean up is centered in the grbHandler.sync function's lack of action on deletion.

Vulnerable functions

rbac.grbHandler.sync

pkg/controllers/managementuser/rbac/globalrolebinding_handler.go

This function is the controller for GlobalRoleBinding objects. Its failure to handle deletion events is the primary cause of the vulnerability. When a user's administrative role is revoked by deleting the GlobalRoleBinding, this function should trigger the deletion of the corresponding ClusterRoleBinding that grants cluster access. By doing nothing, it leaves the ClusterRoleBinding orphaned and the user's access intact.

rbac.grbHandler.ensureClusterAdminBinding

pkg/controllers/managementuser/rbac/globalrolebinding_handler.go

This function is responsible for creating a ClusterRoleBinding that grants a user 'cluster-admin' privileges based on a GlobalRoleBinding. The vulnerability stems from the fact that the created ClusterRoleBinding is not automatically cleaned up. This function is a key part of the workflow that creates the orphaned resource. During an exploit, this function would have been called to grant the initial access.

rbac.clusterHandler.doSync

pkg/controllers/managementuser/rbac/cluster_handler.go

This function syncs permissions for global admins upon cluster changes, creating 'cluster-admin' ClusterRoleBindings. Like `ensureClusterAdminBinding`, it creates resources that are not garbage collected when the user's global admin role is removed, contributing to the vulnerable state. This function would be on the execution path when setting up the permissions that are later not revoked.

WAF Protection Rules

WAF Rule

### Imp**t * vuln*r**ility **s ***n i**nti*i** wit*in R*n***r M*n***r, w**r* **t*r r*movin* * *ustom *lo**lRol* t**t *iv*s **ministr*tiv* ****ss or t** *orr*spon*in* *in*in*, t** us*r still r*t*ins ****ss to *lust*rs. T*is only *****ts *ustom *lo**l

Reasoning

T** vuln*r**ility, *V*-****-*****, *llows * R*n***r us*r to r*t*in **ministr*tiv* ****ss to *lust*rs *v*n **t*r t** *lo**lRol* or *lo**lRol**in*in* *r*ntin* t*is ****ss **s ***n r*mov**. T** root **us* is t** p*rsist*n** o* `*lust*rRol**in*in*s` t**t

4.3

Basic Information

Concerned about an active attack path?

CVE-2023-32199: Rancher user retains access to clusters despite Global Role removal

Impact

Patches

Workarounds

References

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI