Portainer CVE-2026-44848
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
Portainer enforces Role-Based Access Control (RBAC) on top of the Docker API. The proxy layer routes incoming Docker API requests to per-resource handlers (containers, images, services, volumes, etc.) that apply authorization checks.
The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations - including installing and enabling plugins - directly against the underlying Docker daemon.
The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. Administrators and users without Docker endpoint access are not affected.
A regular user with access to a Docker endpoint can:
- Pull an arbitrary plugin from any registry via
POST /plugins/pull. - Grant it the privileges it requests, including
CAP_SYS_ADMINand host-path mounts. - Enable the plugin via
POST /plugins/{name}/enable, at which point Docker runs the plugin with root privileges on the host.
Docker plugins execute as root on the host and can request arbitrary host capabilities and mounts. Enabling a crafted plugin gives the user access to the host filesystem and equivalent to root on the Docker host.
Severity
Critical - CVSS 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE-862 - Missing Authorization
Affected Versions
The vulnerability exists in every Portainer release where the Docker API proxy uses the prefix-allowlist routing model - /plugins has never been in the allowlist, and the fall-through path has never applied authorization.
Fixes are included in the next release of each supported branch:
| Branch | First vulnerable | Fixed in |
|---|---|---|
| 2.33.x (LTS) | 2.33.0 | 2.33.8 |
| 2.39.x (LTS) | 2.39.0 | 2.39.2 |
| 2.40.x (STS) | 2.40.0 | 2.41.0 |
Portainer LTS branches receive fixes for 6 months plus a 3-month overlap after the next LTS ships. STS releases are supported only until the next STS ships - the 2.40.x STS line ends with the 2.41.0 release. All releases prior to 2.33.0 are end-of-life and will not receive a fix; users on EOL versions should upgrade to a supported LTS branch.
Workarounds
Administrators who cannot immediately upgrade can reduce exposure by temporarily revoking Docker endpoint access for non-admin users via Portainer RBAC until the patched release is deployed. This eliminates the attack surface without disruption for administrators. This does not replace the fix.
Affected Code
// api/http/proxy/factory/docker/transport.go (pre-fix)
var prefixProxyFuncMap = map[string]func(...){
"build": ...,
"configs": ...,
"containers": ...,
"images": ...,
"networks": ...,
"nodes": ...,
"secrets": ...,
"services": ...,
"swarm": ...,
"tasks": ...,
"v2": ...,
"volumes": ...,
}
func (transport *Transport) ProxyDockerRequest(request *http.Request) (*http.Response, error) {
// ...
prefix := strings.Split(strings.TrimPrefix(unversionedPath, "/"), "/")[0]
if proxyFunc := prefixProxyFuncMap[prefix]; proxyFunc != nil {
return proxyFunc(transport, request, unversionedPath) // authorized
}
return transport.executeDockerRequest(request) // forwarded without authorization
}/plugins is not in prefixProxyFuncMap, so requests to plugin endpoints fall through to executeDockerRequest and are forwarded to the Docker daemon without any Portainer-side authorization check.
Impact
An authenticated, non-admin Portainer user with access to any Docker-enabled endpoint can:
- Install and enable arbitrary Docker plugins from any registry.
- Execute plugin code with root privileges on the Docker host (including declaring
CAP_SYS_ADMINand host-path mounts). - Read and modify files on the host filesystem from a restricted account, overriding the administrator's security policy.
Timeline
- 2026-03-16: Reported via GitHub Security Advisory by ikkebr.
- 2026-04-20: Fix merged to
develop,release/2.39, andrelease/2.33. - 2026-04-29: 2.41.0 released.
- 2026-05-07: 2.39.2-LTS and 2.33.8-LTS released.
Credit
- ikkebr - identified and reported the proxy allowlist bypass affecting the Docker plugin management endpoints.
AnalysisAI
Missing authorization in Portainer's Docker API proxy allows non-admin users with endpoint access to install and enable arbitrary Docker plugins, achieving root code execution on the Docker host. Standard users can bypass RBAC controls to call privileged plugin operations (/plugins/pull, /plugins/{name}/enable) directly against the Docker daemon, installing malicious plugins that run as root with CAP_SYS_ADMIN and arbitrary host mounts. Vendor-confirmed exploitation requires only low-privilege authenticated access (CVSS:4.0 9.4, AV:N/AC:L/PR:L). Patches released across three supported branches (2.33.8-LTS, 2.39.2-LTS, 2.41.0). No public exploit code identified at time of analysis, but attack technique is straightforward given detailed vendor disclosure.
Technical ContextAI
Portainer is a container management platform written in Go (pkg:go/github.com/portainer/portainer) that proxies and enforces RBAC on Docker API calls. The proxy layer uses a prefix-based allowlist routing model where registered prefixes (containers, images, volumes, etc.) trigger authorization handlers. The /plugins prefix was never added to the allowlist map (prefixProxyFuncMap), causing all plugin endpoint requests to fall through to executeDockerRequest() and be forwarded to the Docker daemon without Portainer-side authorization. The root cause is CWE-862 (Missing Authorization) - a classic fail-open security pattern where unrecognized paths bypass controls. Docker plugins are privileged extensions that run as root processes on the host and can declare capabilities like CAP_SYS_ADMIN and request bind mounts of host filesystem paths. The plugin enable operation (POST /plugins/{name}/enable) starts the plugin immediately with whatever privileges it declares in its manifest, making it a direct path to host-level code execution from a restricted container management account.
RemediationAI
Upgrade to patched releases immediately: Portainer 2.33.8-LTS (fixes 2.33.x branch, released 2026-05-07), Portainer 2.39.2-LTS (fixes 2.39.x branch, released 2026-05-07), or Portainer 2.41.0 (fixes 2.40.x STS branch, released 2026-04-29). Release binaries and container images available at https://github.com/portainer/portainer/releases/tag/2.33.8, /tag/2.39.2, and /tag/2.41.0. For administrators unable to upgrade immediately, temporarily revoke Docker endpoint access for all non-admin users via Portainer RBAC settings until patched versions are deployed - this eliminates the attack surface but disrupts legitimate non-admin workflows and does not replace the vendor fix. Users on end-of-life versions (pre-2.33.0) must upgrade to a supported LTS branch (2.33.8 or 2.39.2) to receive the fix. The patch adds /plugins to the proxy allowlist and enforces authorization checks before forwarding plugin management requests to the Docker daemon.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-rrmm-9v76-h3p4