Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-hwm2-4ph6-w6m5

Rancher's restricted PodSecurityPolicy does not prevent containers from running as a privileged user

Also known asGO-2026-4590
Published
Mar 3, 2026
Updated
Mar 23, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected
🐹github.com/rancher/rancher

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Impact

The restricted pod security policy (PSP), provided in Rancher versions from 2.0 up to and including 2.6.3, has a deviation from the upstream restricted policy provided in Kubernetes, in which Rancher's PSP has runAsUser set to runAsAny, while upstream has runAsUser set to MustRunAsNonRoot. This allows containers to run as any user, including a privileged user (root), even when Rancher's restricted policy is enforced on a project or at cluster level.

A new restricted-noroot PSP was created to prevent pods from running as root when this policy is enforced. This new policy was introduced, instead of patching the current provided restricted policy, in order to avoid breaking users' workloads that are using the restricted PSP and that might be running as a privileged user.

Note: Running containers as root increases the risk of a compromised container being used by a malicious actor as an attack platform to further exploit the user's environment. It is a security best practice to avoid running containers as a privileged user and to limit its usage to workloads where it is strictly necessary.

Patches

Patched versions include release 2.6.4 and later versions. The existing restricted PSP in Rancher 2.6.4 was not modified and still allows containers to run as a privileged user, as explained above. This fix was not backported to previous releases.

For Rancher 2.6.4 and later releases, users using the current restricted PSP and that want to prevent containers from running as root, are advised to migrate to the new restricted-noroot policy. Before doing this migration, it is necessary to verify if affected workloads are currently running as a privileged user and modify them accordingly to the users' own environment to run as a non-privileged user. A redeployment of the affected workload is necessary in order for the new PSP to take effect.

Workarounds

For users running Rancher 2.6.3 and previous releases, which did not received this backport and that want to benefit from this fix, they can manually create a new restricted-noroot PSP on their clusters through Rancher UI. The template of the restricted-noroot policy provided in Rancher 2.6.4 is available in the source code. As a reminder, it is also necessary to manually verify and redeploy the running workload before enabling a more restricted pod security policy.

References

For instructions on how to configure pod security policies using Rancher, please refer to the documentation page. For more information on PSPs in Kubernetes, please refer to the Kubernetes documentation (permalink).

Important reminder: Pod security policies are considered deprecated since Kubernetes v1.21, and will be removed in Kubernetes v1.25. Consult Kubernetes' documentation (permalink) regarding how to migrate from PodSecurityPolicy to Kubernetes' built-in PodSecurity Admission Controller. For the list of supported Kubernetes versions in Rancher, please consult our support matrix.

For more information

If you have any questions or comments about this advisory:

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/rancher/rancher2.0.0&&< 2.6.42.6.4

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/rancher/rancher. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/rancher/rancher to 2.6.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-hwm2-4ph6-w6m5 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-hwm2-4ph6-w6m5 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-hwm2-4ph6-w6m5. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact The `restricted` pod security policy (PSP), provided in Rancher versions from 2.0 up to and including 2.6.3, has a deviation from the [upstream](https://github.com/kubernetes/website/blob/6d22e08903d7dd44b049c4689fa882ae07f67de9/content/en/examples/policy/restricted-psp.yaml) `restricted` policy provided in Kubernetes, in which Rancher's PSP has `runAsUser` set to `runAsAny`, while upstream has `runAsUser` set to `MustRunAsNonRoot`. This allows containers to run as any user, including a privileged user (`root`), even when Rancher's `restricted` policy is enforced on a project or at
O3 Security · Impact-Aware SCA

Is GHSA-hwm2-4ph6-w6m5 in your dependencies?

O3 detects GHSA-hwm2-4ph6-w6m5 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works