Security Advisories and CVEs

NeuVector is committed to informing the community about security issues. The following table lists published security advisories and CVEs (Common Vulnerabilities and Exposures) for resolved issues.

CVE List

ID Description Date Resolution

ID	Description	Date	Resolution
CVE-2025-8077	For NeuVector deployments on Kubernetes-based environments, the bootstrap password of the default admin user is now generated randomly and stored in a Kubernetes secret. The default admin must retrieve the bootstrap password from the secret and change it after the first successful UI login.	25 Aug 2025	NeuVector v5.4.6
CVE-2025-53884	NeuVector now uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords. During rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash after each user’s next successful login.	25 Aug 2025	NeuVector v5.4.6
CVE-2025-54467	NeuVector now redacts process commands containing `password`, `passwd`, `pwd`, `token`, or `key` from logs and debug outputs by default. Users can configure a Kubernetes ConfigMap to define additional regex patterns for redaction.	25 Aug 2025	NeuVector v5.4.6
CVE-2025-46808	Sensitive information may be logged in the manager container depending on logging configuration and credential permissions. For details, see Sensitive Information Exposure in NeuVector Manager Container Logs.	09 Jul 2025	NeuVector v5.4.5
CVE-2024-38095	In .NET, a malicious X.509 certificate or chain can cause excessive CPU use, leading to denial of service. This CVE was flagged as an affected .NET library detection issue.	9 Jul 2024	NeuVector v5.4.5
CVE-2024-7347	The NGINX `ngx_http_mp4_module` vulnerability allows crafted MP4 files to cause memory over-reads and worker process termination. Reported in NeuVector 5.4.2 as a possible false negative detection in the vulnerability scanner; not a NeuVector product issue.	14 Aug 2024	NeuVector v5.4.2
CVE-2018-20796	In the GNU C Library through 2.29, `check_dst_limits_calc_pos_1` in `posix/regexec.c` has uncontrolled recursion.	15 Jan 2025	Not applicable. Flagged in v5.4.2 as a false positive.
CVE-2024-41110	A security vulnerability in some Docker Engine versions may allow an attacker to bypass authorization plugins (AuthZ). The likelihood of exploitation is low.	16 Nov 2024	NeuVector v5.4.1
CVE-2020-26160	`jwt-go` allows attackers to bypass access restrictions when `[]string{}` is used for `m["aud"]`. Users should migrate to `golang-jwt` v3.2.1.	16 Nov 2024	NeuVector v5.4.1

CVE-2025-8077

For NeuVector deployments on Kubernetes-based environments, the bootstrap password of the default admin user is now generated randomly and stored in a Kubernetes secret. The default admin must retrieve the bootstrap password from the secret and change it after the first successful UI login.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-53884

NeuVector now uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords. During rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash after each user’s next successful login.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-54467

NeuVector now redacts process commands containing password, passwd, pwd, token, or key from logs and debug outputs by default. Users can configure a Kubernetes ConfigMap to define additional regex patterns for redaction.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-46808

Sensitive information may be logged in the manager container depending on logging configuration and credential permissions. For details, see Sensitive Information Exposure in NeuVector Manager Container Logs.

09 Jul 2025

NeuVector v5.4.5

CVE-2024-38095

In .NET, a malicious X.509 certificate or chain can cause excessive CPU use, leading to denial of service. This CVE was flagged as an affected .NET library detection issue.

9 Jul 2024

NeuVector v5.4.5

CVE-2024-7347

The NGINX ngx_http_mp4_module vulnerability allows crafted MP4 files to cause memory over-reads and worker process termination. Reported in NeuVector 5.4.2 as a possible false negative detection in the vulnerability scanner; not a NeuVector product issue.

14 Aug 2024

NeuVector v5.4.2

CVE-2018-20796

In the GNU C Library through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has uncontrolled recursion.

15 Jan 2025

Not applicable. Flagged in v5.4.2 as a false positive.

CVE-2024-41110

A security vulnerability in some Docker Engine versions may allow an attacker to bypass authorization plugins (AuthZ). The likelihood of exploitation is low.

16 Nov 2024

NeuVector v5.4.1

CVE-2020-26160

jwt-go allows attackers to bypass access restrictions when []string{} is used for m["aud"]. Users should migrate to golang-jwt v3.2.1.

16 Nov 2024

NeuVector v5.4.1

Sensitive Information Exposure in NeuVector Manager Container Logs

CVEs: CVE-2025-46808
CVSS Score: 6.8 — CVSS v3.1 Vector
CWE: CWE-532: Insertion of Sensitive Information into Log File

Affected Versions

All versions earlier than 5.0.0
Versions 5.0.0 through 5.4.4

Fixed version: 5.4.5

Impact

A vulnerability in NeuVector versions up to and including 5.4.4 could leak sensitive information in the manager container logs. The following fields may appear in logs:

Field Field Description Where It Appears Reproduction Environment

Field	Field Description	Where It Appears	Reproduction	Environment
`X-R-Sess`	Rancher session token for single sign-on	Request header	Log in via Rancher UI and access NeuVector SSO	Rancher with NeuVector SSO
`personal_access_token`	GitHub or Azure DevOps token	Request body	Submit remote repository config under Configuration > Settings	NeuVector
`token1.token`	NeuVector user session token	Response body	Send GET request through NeuVector API: `https://<neuvector-ui-url>/user?name=<username>;`	NeuVector
`rekor_public_key`, `root_cert`, `sct_public_key`	Rekor public key, Root certificate, Signed certificate timestamp (SCT) public key in private root of trust	Request body	Create or update private root of trust from Sigstore page	NeuVector
`public_key`	Verifier’s public key	Request body	Create or update verifier in Sigstore page	NeuVector

X-R-Sess

Rancher session token for single sign-on

Request header

Rancher with NeuVector SSO

personal_access_token

GitHub or Azure DevOps token

Request body

Submit remote repository config under Configuration > Settings

NeuVector

token1.token

NeuVector user session token

Response body

Send GET request through NeuVector API: https://<neuvector-ui-url>/user?name=<username>;

NeuVector

rekor_public_key, root_cert, sct_public_key

Rekor public key, Root certificate, Signed certificate timestamp (SCT) public key in private root of trust

Request body

Create or update private root of trust from Sigstore page

NeuVector

public_key

Verifier’s public key

Request body

Create or update verifier in Sigstore page

NeuVector

NeuVector installations with single sign-on integration with Rancher Manager and Remote Repository Configuration disabled are not affected.

In the patched version, X-R-Sess is partially masked. Other sensitive fields (personal_access_token, token, rekor_public_key, root_cert, sct_public_key, public_key) are removed from logs.

The severity depends on your logging strategy:
- Local logging (default) — limits exposure.
- External logging — severity increases, depending on security controls on external log collectors.
The final impact severity depends on permissions of the leaked credentials.

For more information, see Unsecured credentials (MITRE ATT&CK T1552).

Patches

Patched versions include release 5.4.5 and later. Rotate the GitHub token used in Remote Repository Configuration after upgrading.

Workarounds

No workarounds are available. Upgrade to a fixed version as soon as possible.

Questions and Support

Contact the SUSE Rancher Security team.
Open an issue in the NeuVector GitHub repository.
References:
- NeuVector Support Matrix
- Product Support Lifecycle