Security Advisories and CVEs

NeuVector is committed to informing the community about security issues. The following table lists published security advisories and CVEs (Common Vulnerabilities and Exposures) for resolved issues.

CVE List

ID Description Date Resolution

CVE-2025-66001

In the patched version, new NeuVector deployments enable TLS verification by default. For rolling upgrades, NeuVector does not change this setting automatically to avoid disruption.

12 Dec 2025

NeuVector v5.4.8

CVE-2025-8077

For NeuVector deployments on Kubernetes-based environments, the bootstrap password of the default admin user is now generated randomly and stored in a Kubernetes secret. The default admin must retrieve the bootstrap password from the secret and change it after the first successful UI login.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-53884

NeuVector now uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords. During rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash after each user’s next successful login.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-54467

NeuVector now redacts process commands containing password, passwd, pwd, token, or key from logs and debug outputs by default. Users can configure a Kubernetes ConfigMap to define additional regex patterns for redaction.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-46808

Sensitive information may be logged in the manager container depending on logging configuration and credential permissions.

09 Jul 2025

NeuVector v5.4.5

CVE-2024-38095

In .NET, a malicious X.509 certificate or chain can cause excessive CPU use, leading to denial of service. This CVE was flagged as an affected .NET library detection issue.

9 Jul 2024

NeuVector v5.4.5

CVE-2024-7347

The NGINX ngx_http_mp4_module vulnerability allows crafted MP4 files to cause memory over-reads and worker process termination. Reported in NeuVector 5.4.2 as a possible false negative detection in the vulnerability scanner; not a NeuVector product issue.

14 Aug 2024

NeuVector v5.4.2

CVE-2018-20796

In the GNU C Library through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has uncontrolled recursion.

15 Jan 2025

Not applicable. Flagged in v5.4.2 as a false positive.

CVE-2024-41110

A security vulnerability in some Docker Engine versions may allow an attacker to bypass authorization plugins (AuthZ). The likelihood of exploitation is low.

16 Nov 2024

NeuVector v5.4.1

CVE-2020-26160

jwt-go allows attackers to bypass access restrictions when []string{} is used for m["aud"]. Users should migrate to golang-jwt v3.2.1.

16 Nov 2024

NeuVector v5.4.1

OpenID Connect is vulnerable to MITM

Affected Versions

  • All versions earlier than 5.3.0

  • Versions 5.3.0 through 5.4.7

Fixed version: 5.4.8

Impact

NeuVector supports authentication using OpenID Connect. TLS verification, which validates the authenticity and integrity of the remote server, is not enforced by default. This can expose the system to man-in-the-middle (MITM) attacks.

Beginning with version 5.4.0, NeuVector supports TLS verification for:

  • Registry connections

  • Auth server connections (SAML, LDAP, and OIDC)

  • Webhook connections

By default, TLS verification remains disabled. The setting is available under Settings → Configuration in the NeuVector UI.

In the patched version, new NeuVector deployments enable TLS verification by default. Rolling upgrades do not modify existing configurations to prevent service disruption.

When TLS verification is enabled, it applies to:

  • Registry servers

  • Auth servers (SAML, LDAP, and OIDC)

  • Webhook servers

Patches

Patched versions include release v5.4.8 and later.

Workarounds

To manually enable TLS verification:

  1. Open the NeuVector UI.

  2. Navigate to Settings → Configuration.

  3. In TLS Self-Signed Certificate Configuration, select Enable TLS verification.

  4. (Optional) Upload or paste the TLS self-signed certificate.

Questions and Support

  • Contact the SUSE Rancher Security team for security-related inquiries.

  • Open an issue in the NeuVector repository.

  • Review the support matrix and product support lifecycle.

NeuVector is shipping cryptographic material into its binary

Affected Versions

  • All versions earlier than 5.3.0

  • Versions 5.3.0 through 5.4.6

Fixed version: 5.4.7

Impact

NeuVector previously used a hard-coded cryptographic key embedded in the source code. During compilation, this value was replaced with a static secret key used to encrypt sensitive configuration fields.

In the patched release, NeuVector uses the Kubernetes secret neuvector-store-secret (in the neuvector namespace) to generate secure, dynamic encryption keys. This removes reliance on static keys and improves security by storing keys in Kubernetes-managed secrets.

During rolling upgrades or when restoring from persistent storage, the NeuVector controller checks encrypted configuration fields. If a field is encrypted with the default fixed key, it is decrypted and re-encrypted using the new dynamic key.

If the controller lacks RBAC permissions to access the Kubernetes secret, it logs:

Required Kubernetes RBAC for secrets are not found

and exits.

Device encryption keys rotate every 3 months. For more details, see: Rotating sensitive field in configuration.

Patches

Patched versions include release v5.4.7 and later.

Workarounds

No workarounds are available. Upgrade to a patched version as soon as possible.

Questions and Support

Telemetry sender is vulnerable to MITM and DoS

Affected Versions

  • All versions earlier than 5.3.0

  • Versions 5.3.0 through 5.4.6

Fixed versions: 5.4.7, 5.3.5

Impact

This vulnerability affects NeuVector deployments only when Report anonymous cluster data is enabled. When active, NeuVector sends anonymous telemetry data to:

https://upgrades.neuvector-upgrade-responder.livestock.rancher.io

In affected versions, TLS certificate verification is not enforced, making telemetry communication vulnerable to MITM attacks. An attacker could intercept or modify the transmitted data.

NeuVector also loaded the telemetry server response into memory without size limits, exposing the system to Denial-of-Service (DoS) risks.

The patched version includes:

  • Verification of the TLS certificate chain and hostname for the telemetry server.

  • A response size limit of 256 bytes to mitigate memory exhaustion.

These improvements are enabled by default and require no user action.

Patches

Patched versions include release v5.4.7 and later.

Workarounds

If you cannot update, disable Report anonymous cluster data:

Settings → Configuration → Report anonymous cluster data

Disabling this setting prevents NeuVector from sending telemetry data, reducing exposure to this vulnerability.

Recommendation: Upgrade to a patched version as soon as possible.

Questions and Support

Sensitive Information Exposure in NeuVector Manager Container Logs

CVEs: CVE-2025-46808
CVSS Score: 6.8 — CVSS v3.1 Vector
CWE: CWE-532: Insertion of Sensitive Information into Log File

Affected Versions

  • All versions earlier than 5.0.0

  • Versions 5.0.0 through 5.4.4

Fixed version: 5.4.5

Impact

A vulnerability in NeuVector versions up to and including 5.4.4 could leak sensitive information in the manager container logs. The following fields may appear in logs:

Field Field Description Where It Appears Reproduction Environment

X-R-Sess

Rancher session token for single sign-on

Request header

Log in via Rancher UI and access NeuVector SSO

Rancher with NeuVector SSO

personal_access_token

GitHub or Azure DevOps token

Request body

Submit remote repository config under Configuration > Settings

NeuVector

token1.token

NeuVector user session token

Response body

Send GET request through NeuVector API: https://<neuvector-ui-url>/user?name=<username>;

NeuVector

rekor_public_key, root_cert, sct_public_key

Rekor public key, Root certificate, Signed certificate timestamp (SCT) public key in private root of trust

Request body

Create or update private root of trust from Sigstore page

NeuVector

public_key

Verifier’s public key

Request body

Create or update verifier in Sigstore page

NeuVector

NeuVector installations with single sign-on integration with Rancher Manager and Remote Repository Configuration disabled are not affected.

In the patched version, X-R-Sess is partially masked. Other sensitive fields (personal_access_token, token, rekor_public_key, root_cert, sct_public_key, public_key) are removed from logs.

  • The severity depends on your logging strategy:

    • Local logging (default) — limits exposure.

    • External logging — severity increases, depending on security controls on external log collectors.

  • The final impact severity depends on permissions of the leaked credentials.

For more information, see Unsecured credentials (MITRE ATT&CK T1552).

Patches

Patched versions include release 5.4.5 and later. Rotate the GitHub token used in Remote Repository Configuration after upgrading.

Workarounds

No workarounds are available. Upgrade to a fixed version as soon as possible.

Questions and Support