Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (ENISA) · only source for this CVE.
CVSS VectorVendor: ENISA
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent
access on the host.
AnalysisAI
Privilege escalation in Portainer Community Edition stems from permissive default endpoint security settings that grant non-admin users with endpoint access the ability to create containers with bind mounts, privileged mode, host namespaces, device mappings, sysctl settings, and Linux capabilities. An authenticated low-privilege user can leverage these defaults to read arbitrary host files or break out of the container boundary to achieve root-equivalent code execution on the Docker host. Publicly available exploit code exists per CVSS v4.0 threat metrics (E:P), but the issue is not listed in CISA KEV.
Technical ContextAI
Portainer CE is a popular open-source container management UI for Docker, Swarm, Kubernetes, and Nomad environments. The flaw is rooted in CWE-276 (Incorrect Default Permissions): when a new endpoint (Docker environment) is registered, Portainer's EndpointSecuritySettings struct was initialized with permissive flags - AllowBindMountsForRegularUsers, AllowPrivilegedModeForRegularUsers, AllowHostNamespaceForRegularUsers, AllowContainerCapabilitiesForRegularUsers, AllowDeviceMappingForRegularUsers, and AllowSysctlSettingForRegularUsers all set to true. Because Docker's bind-mount and --privileged primitives bridge the container/host boundary by design, granting these to non-admin users is functionally equivalent to handing them root on the host. The upstream fix introduces a single DefaultEndpointSecuritySettings() constructor that flips all of these to false, replacing the inline literals in api/datastore/datastore_test.go, api/http/handler/endpoints/endpoint_create.go, and api/internal/endpointutils/endpoint_setup.go.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - upgrade to a Portainer CE build that includes commits ac8fa7672e732b44b970c9eaf928eddd2c68796c and 3e2fdb1891e81a8e4c5c8beb60e45f07c8ecae52 (https://github.com/portainer/portainer/commit/ac8fa7672e732b44b970c9eaf928eddd2c68796c and https://github.com/portainer/portainer/commit/3e2fdb1891e81a8e4c5c8beb60e45f07c8ecae52), which introduce DefaultEndpointSecuritySettings() with all host-exposing toggles set to false. Until a tagged release can be deployed, administrators should manually harden every existing endpoint by opening Environments → Endpoint → Security and disabling AllowBindMountsForRegularUsers, AllowPrivilegedModeForRegularUsers, AllowHostNamespaceForRegularUsers, AllowContainerCapabilitiesForRegularUsers, AllowDeviceMappingForRegularUsers, AllowSysctlSettingForRegularUsers, AllowVolumeBrowserForRegularUsers, and EnableHostManagementFeatures - note that flipping these off will break any legitimate workflows where non-admin users were intentionally relying on bind mounts or privileged containers, so audit existing stacks first. Additionally, restrict endpoint and team membership so only trusted users hold any access, and review the hardening guidance at https://intwave.com/blog/2026/02/26/improving-portainer-security.html.
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33007
GHSA-frhv-529m-5v9v