Skip to main content

Portainer CVE-2026-44848

CRITICAL
Missing Authorization (CWE-862)
2026-05-14 https://github.com/portainer/portainer GHSA-rrmm-9v76-h3p4
9.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 28, 2026 - 22:22 NVD
9.4 (CRITICAL)
Source Code Evidence Fetched
May 14, 2026 - 17:03 vuln.today
Analysis Generated
May 14, 2026 - 17:03 vuln.today
CVE Published
May 14, 2026 - 16:22 nvd
CRITICAL

DescriptionGitHub Advisory

Summary

Portainer enforces Role-Based Access Control (RBAC) on top of the Docker API. The proxy layer routes incoming Docker API requests to per-resource handlers (containers, images, services, volumes, etc.) that apply authorization checks.

The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations - including installing and enabling plugins - directly against the underlying Docker daemon.

The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. Administrators and users without Docker endpoint access are not affected.

A regular user with access to a Docker endpoint can:

  • Pull an arbitrary plugin from any registry via POST /plugins/pull.
  • Grant it the privileges it requests, including CAP_SYS_ADMIN and host-path mounts.
  • Enable the plugin via POST /plugins/{name}/enable, at which point Docker runs the plugin with root privileges on the host.

Docker plugins execute as root on the host and can request arbitrary host capabilities and mounts. Enabling a crafted plugin gives the user access to the host filesystem and equivalent to root on the Docker host.

Severity

Critical - CVSS 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE-862 - Missing Authorization

Affected Versions

The vulnerability exists in every Portainer release where the Docker API proxy uses the prefix-allowlist routing model - /plugins has never been in the allowlist, and the fall-through path has never applied authorization.

Fixes are included in the next release of each supported branch:

BranchFirst vulnerableFixed in
2.33.x (LTS)2.33.02.33.8
2.39.x (LTS)2.39.02.39.2
2.40.x (STS)2.40.02.41.0

Portainer LTS branches receive fixes for 6 months plus a 3-month overlap after the next LTS ships. STS releases are supported only until the next STS ships - the 2.40.x STS line ends with the 2.41.0 release. All releases prior to 2.33.0 are end-of-life and will not receive a fix; users on EOL versions should upgrade to a supported LTS branch.

Workarounds

Administrators who cannot immediately upgrade can reduce exposure by temporarily revoking Docker endpoint access for non-admin users via Portainer RBAC until the patched release is deployed. This eliminates the attack surface without disruption for administrators. This does not replace the fix.

Affected Code

go
// api/http/proxy/factory/docker/transport.go (pre-fix)

var prefixProxyFuncMap = map[string]func(...){
    "build":      ...,
    "configs":    ...,
    "containers": ...,
    "images":     ...,
    "networks":   ...,
    "nodes":      ...,
    "secrets":    ...,
    "services":   ...,
    "swarm":      ...,
    "tasks":      ...,
    "v2":         ...,
    "volumes":    ...,
}

func (transport *Transport) ProxyDockerRequest(request *http.Request) (*http.Response, error) {
    // ...
    prefix := strings.Split(strings.TrimPrefix(unversionedPath, "/"), "/")[0]

    if proxyFunc := prefixProxyFuncMap[prefix]; proxyFunc != nil {
        return proxyFunc(transport, request, unversionedPath)  // authorized
    }

    return transport.executeDockerRequest(request)  // forwarded without authorization
}

/plugins is not in prefixProxyFuncMap, so requests to plugin endpoints fall through to executeDockerRequest and are forwarded to the Docker daemon without any Portainer-side authorization check.

Impact

An authenticated, non-admin Portainer user with access to any Docker-enabled endpoint can:

  • Install and enable arbitrary Docker plugins from any registry.
  • Execute plugin code with root privileges on the Docker host (including declaring CAP_SYS_ADMIN and host-path mounts).
  • Read and modify files on the host filesystem from a restricted account, overriding the administrator's security policy.

Timeline

  • 2026-03-16: Reported via GitHub Security Advisory by ikkebr.
  • 2026-04-20: Fix merged to develop, release/2.39, and release/2.33.
  • 2026-04-29: 2.41.0 released.
  • 2026-05-07: 2.39.2-LTS and 2.33.8-LTS released.

Credit

  • ikkebr - identified and reported the proxy allowlist bypass affecting the Docker plugin management endpoints.

AnalysisAI

Missing authorization in Portainer's Docker API proxy allows non-admin users with endpoint access to install and enable arbitrary Docker plugins, achieving root code execution on the Docker host. Standard users can bypass RBAC controls to call privileged plugin operations (/plugins/pull, /plugins/{name}/enable) directly against the Docker daemon, installing malicious plugins that run as root with CAP_SYS_ADMIN and arbitrary host mounts. Vendor-confirmed exploitation requires only low-privilege authenticated access (CVSS:4.0 9.4, AV:N/AC:L/PR:L). Patches released across three supported branches (2.33.8-LTS, 2.39.2-LTS, 2.41.0). No public exploit code identified at time of analysis, but attack technique is straightforward given detailed vendor disclosure.

Technical ContextAI

Portainer is a container management platform written in Go (pkg:go/github.com/portainer/portainer) that proxies and enforces RBAC on Docker API calls. The proxy layer uses a prefix-based allowlist routing model where registered prefixes (containers, images, volumes, etc.) trigger authorization handlers. The /plugins prefix was never added to the allowlist map (prefixProxyFuncMap), causing all plugin endpoint requests to fall through to executeDockerRequest() and be forwarded to the Docker daemon without Portainer-side authorization. The root cause is CWE-862 (Missing Authorization) - a classic fail-open security pattern where unrecognized paths bypass controls. Docker plugins are privileged extensions that run as root processes on the host and can declare capabilities like CAP_SYS_ADMIN and request bind mounts of host filesystem paths. The plugin enable operation (POST /plugins/{name}/enable) starts the plugin immediately with whatever privileges it declares in its manifest, making it a direct path to host-level code execution from a restricted container management account.

RemediationAI

Upgrade to patched releases immediately: Portainer 2.33.8-LTS (fixes 2.33.x branch, released 2026-05-07), Portainer 2.39.2-LTS (fixes 2.39.x branch, released 2026-05-07), or Portainer 2.41.0 (fixes 2.40.x STS branch, released 2026-04-29). Release binaries and container images available at https://github.com/portainer/portainer/releases/tag/2.33.8, /tag/2.39.2, and /tag/2.41.0. For administrators unable to upgrade immediately, temporarily revoke Docker endpoint access for all non-admin users via Portainer RBAC settings until patched versions are deployed - this eliminates the attack surface but disrupts legitimate non-admin workflows and does not replace the vendor fix. Users on end-of-life versions (pre-2.33.0) must upgrade to a supported LTS branch (2.33.8 or 2.39.2) to receive the fix. The patch adds /plugins to the proxy allowlist and enforces authorization checks before forwarding plugin management requests to the Docker daemon.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-44848 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy