GHSA-3C9M-GQ32-G4JX
Vulnerability from github – Published: 2026-02-12 22:14 – Updated: 2026-02-12 22:14Impact
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. This may allow unauthorized access to registries or the NeuVector controller, potentially enabling image manipulation, information disclosure, or further lateral movement within the environment.
Important: - For the exposure of credentials not related to Rancher NeuVector, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services. - It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.
Please consult the associated MITRE ATT&CK – Technique – Credential Access and Unsecured Credentials for further information about this category of attack.
Patches
Patched versions include release v4.072 and above.
Starting from version v4.072, the scanner monitor process does not pass credentials to the scanner anymore. Instead, scanner process gets credentials information from environment variables, preventing them from being exposed through /proc/*/cmdline.
Workarounds
There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector scanner that contains the fix.
References
If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the NeuVector repository. - Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/neuvector/scanner"
},
"ranges": [
{
"events": [
{
"introduced": "4.0"
},
{
"fixed": "4.072"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67860"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-12T22:14:02Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nA vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. This may allow unauthorized access to registries or the NeuVector controller, potentially enabling image manipulation, information disclosure, or further lateral movement within the environment.\n\n**Important:**\n- For the exposure of credentials not related to Rancher NeuVector, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services.\n- It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.\n\nPlease consult the associated [MITRE ATT\u0026CK \u2013 Technique \u2013 Credential Access and Unsecured Credentials](https://attack.mitre.org/techniques/T1552/) for further information about this category of attack.\n\n### Patches\nPatched versions include release `v4.072` and above.\n\nStarting from version `v4.072`, the scanner monitor process does not pass credentials to the scanner anymore. Instead, scanner process gets credentials information from environment variables, preventing them from being exposed through `/proc/*/cmdline`.\n\n### Workarounds\nThere is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector scanner that contains the fix.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
"id": "GHSA-3c9m-gq32-g4jx",
"modified": "2026-02-12T22:14:02Z",
"published": "2026-02-12T22:14:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/neuvector/scanner/security/advisories/GHSA-3c9m-gq32-g4jx"
},
{
"type": "WEB",
"url": "https://github.com/neuvector/scanner/commit/c2f0f9268468e49eb3addea923156123c4465794"
},
{
"type": "PACKAGE",
"url": "https://github.com/neuvector/scanner"
},
{
"type": "WEB",
"url": "https://github.com/neuvector/scanner/releases/tag/v4.072"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "NeuVector scanner insecurely handles passwords as command arguments"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.