Security Advisories and CVEs
NeuVector is committed to informing the community about security issues. The following table lists published security advisories and CVEs (Common Vulnerabilities and Exposures) for resolved issues.
CVE List
| ID | Description | Date | Resolution |
|---|---|---|---|
The NeuVector manager |
18 Mar 2026 |
Potential information leakage from manager /network/graph API
-
Advisory ID: CVE-2026-25703
-
CWE: No CWEs
Impact
A vulnerability in the NeuVector manager /network/graph API may expose sensitive information to unauthorized users.
The API response can include internal network topology details and metadata that should not be accessible without proper authorization. This may allow an attacker to:
-
Enumerate internal services and connections
-
Infer network structure and communication patterns
-
Gain insights useful for further attacks
The issue occurs due to insufficient access control validation on the affected API endpoint.
Patches
Patched in release 5.5.0 and later.
The fix ensures that:
-
Proper authorization checks are enforced on the
/network/graphAPI -
Sensitive data is returned only to authorized users
Workarounds
No complete workaround is available.
As a temporary mitigation:
-
Restrict access to the NeuVector UI and API endpoints
-
Use network policies or firewall rules to limit exposure
-
Ensure only trusted users can access the manager API
Recommendation: Upgrade to version 5.5.0 or later as soon as possible.
Questions and Support
-
Contact the SUSE Rancher Security team.
-
Open an issue in the NeuVector GitHub repository.
-
References: