Skip to main content

Portainer CVE-2026-44850

HIGH
Incorrect Authorization (CWE-863)
2026-05-14 https://github.com/portainer/portainer GHSA-7fw3-x4r2-g7wc
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 17:04 vuln.today
Analysis Generated
May 14, 2026 - 17:04 vuln.today
CVE Published
May 14, 2026 - 16:23 nvd
HIGH 8.5

DescriptionGitHub Advisory

Summary

Portainer offers an environment-level Disable bind mounts for non-administrators security setting that blocks regular users from binding host paths into containers they create through the Portainer-mediated Docker API. The check that enforces this setting only inspected the legacy HostConfig.Binds array on the container-create proxy and never looked at the equivalent HostConfig.Mounts array. Any authenticated user with rights to create containers on a Docker environment where the restriction is enabled could submit a bind-typed entry under HostConfig.Mounts and mount any host path into their container.

The two fields are interchangeable on the Docker daemon - both produce real bind mounts at runtime - so a check that inspects only one is functionally equivalent to no check at all. The same primitive is correctly enforced on Swarm service create against TaskTemplate.ContainerSpec.Mounts; the gap was specific to the POST /containers/create proxy path.

Exploitation requires a regular user with container-create rights on an environment that has the restriction enabled. Such a user can mount any host path read-write or read-only into a container they own and use the resulting view of the host filesystem to read or write anything the Docker daemon's user can - typically root. Bind-mount restriction is the primary defence against host filesystem exposure on shared environments where regular users are otherwise permitted to deploy containers.

Severity

High

The vulnerability is exploitable over the network with low attack complexity, no attack requirement, and no user interaction. It requires a low-privilege authenticated session - any regular user with container-create rights on an environment where the bind-mount restriction is enabled. The vulnerable system (the Portainer container-create proxy) suffers a confidentiality and integrity breach by virtue of the bypass itself, but the dominant impact is on the subsequent system: the Docker host's filesystem and any container running alongside the attacker's. This is a restriction bypass rather than a cross-authority escalation - the user already had container-create rights, and the bind-mount restriction is a defence-in-depth control on top of that capability - which is the reason the rating is held at High rather than promoted to Critical despite the host-level reach.

Affected Versions

The vulnerability has existed since the AllowBindMountsForRegularUsers security setting was introduced. The HostConfig.Mounts field has never been inspected by the container-create proxy on any release line.

Fixes are included in the following releases:

BranchFirst vulnerableFixed in
2.33.x (LTS)2.33.02.33.8
2.39.x (LTS)2.39.02.39.2
2.41.x (STS)all prior2.41.0

Portainer releases prior to 2.33.0 are end-of-life and will not receive a fix. Users on EOL versions should upgrade to a supported LTS branch.

Workarounds

Administrators who cannot immediately upgrade can reduce exposure by:

  • Revoke container-create rights from non-administrator accounts on affected environments. If the bind-mount restriction is being relied on as a hard guarantee, audit which non-administrator accounts have container-create rights on environments where it is set, and downgrade those accounts to roles that lack container-create until the patched release is deployed. Stack and service deployment that depends on container-create will stop working for those users until the patched release is in place.
  • Audit recent container creations for HostConfig.Mounts of Type: bind from non-admin Portainer users. Inspect Docker daemon logs and docker inspect output on affected environments. Any non-admin-created container with a bind-typed Mounts entry should be treated as a potential incident.
  • Segregate tenants by environment. Where the per-environment toggle was being used to share an environment between tenants of different trust levels, splitting the workloads onto separate environments is a stronger control than the toggle and remains in place after upgrade.

None of these replace the fix.

Affected Code

The enforcement lives in decorateContainerCreationOperation in package/server-ce/api/http/proxy/factory/docker/containers.go. The PartialContainer struct used to deserialise the request body for inspection only contained HostConfig.Binds:

// package/server-ce/api/http/proxy/factory/docker/containers.go
type PartialContainer struct {
    HostConfig struct {
        Privileged bool           `json:"Privileged"`
        PidMode    string         `json:"PidMode"`
        Devices    []any          `json:"Devices"`
        Sysctls    map[string]any `json:"Sysctls"`
        CapAdd     []string       `json:"CapAdd"`
        CapDrop    []string       `json:"CapDrop"`
        Binds      []string       `json:"Binds"`
    } `json:"HostConfig"`
}

if !securitySettings.AllowBindMountsForRegularUsers && len(partialContainer.HostConfig.Binds) > 0 {
    for _, bind := range partialContainer.HostConfig.Binds {
        if strings.HasPrefix(bind, "/") {
            return forbiddenResponse, ErrBindMountsForbidden
        }
    }
}

The fix adds a Mounts field to PartialContainer and a parallel check that rejects any entry whose Type equals bind, mirroring the existing logic on the Swarm service-create proxy. The container-update path is unaffected - the Docker daemon does not accept mount changes via container update - and Swarm service create was already covered. Compose-stack deployment is not in scope of this advisory; the bind-mount restriction is a daemon-mediated container-create control, and Compose deployment runs Docker through a separate path that is not currently subject to the same restriction.

The same change applies cleanly on each LTS branch - the surrounding code shape on release/2.33 and release/2.39 is identical to develop on the points the patch touches, so the LTS backports are byte-equivalent additions of the Mounts field and the parallel check.

Impact

A regular user who has been explicitly restricted from using bind mounts can bypass the restriction and:

  • Read or write any path on the Docker host filesystem. The mount runs as the daemon user (typically root), so any path is reachable. Sensitive examples include /etc/shadow, host SSH keys under /root/.ssh and /home/*/.ssh, and TLS material under /etc/docker.
  • Compromise other containers on the same host. The host's /var/lib/docker (or equivalent) is reachable from within the bound mount, exposing the layers, volumes, and live state of every container the daemon manages.
  • Reach the Docker socket. Mounting /var/run/docker.sock into the attacker's container hands them full Docker API access on the host, regardless of any authorisation enforced by Portainer above the proxy.
  • Write persistence to the host. Without ReadOnly, the attacker can drop SSH keys into authorized_keys, install systemd units, or modify cron, achieving persistence outside of any container the daemon supervises.

The bind-mount restriction was the primary defence against this class of host exposure for non-administrator container creators; bypassing it removes the only enforcement point above the daemon for tenants who were granted container-create rights.

Timeline

  • 2026-03-04: Reported via GitHub Security Advisory by offensiveee (Assaf Alassaf).
  • 2026-03-04 - 2026-04-17: Six further independent reports of the same primitive received via GitHub Security Advisory (alexwaira, ffulbtech, Proscan-one, jeroengui, AyushParkara, marduc812) and consolidated against this advisory.
  • 2026-04-18: Fix merged to develop.
  • 2026-06-04: Backports merged to release/2.33 and release/2.39.
  • 2026-04-29: 2.41.0 released with fix.
  • 2026-05-07: 2.33.8, 2.39.2, released with fix.

Credit

  • offensiveee (Assaf Alassaf) - initial report identifying the HostConfig.Mounts bypass on container create and the divergence from the Swarm service-create check.
  • alexwaira - independently reported the same HostConfig.Mounts bypass on container create.
  • ffulbtech - independently reported the same HostConfig.Mounts bypass on container create.
  • Proscan-one - independently reported the same HostConfig.Mounts bypass on container create.
  • jeroengui - independently reported the same HostConfig.Mounts bypass on container create.
  • AyushParkara - independently reported the same HostConfig.Mounts bypass on container create.
  • marduc812 - independently reported the same HostConfig.Mounts bypass on container create.

AnalysisAI

Authenticated regular users with container-creation rights in Portainer can mount arbitrary host filesystem paths into their containers by bypassing the 'Disable bind mounts for non-administrators' security control via HostConfig.Mounts instead of HostConfig.Binds, enabling root-level access to sensitive host files, Docker socket takeover, and container escape on shared Docker environments. The vulnerability is confirmed actively exploited based on seven independent security researcher reports, with vendor-released patches available across all supported branches (2.33.8, 2.39.2, 2.41.0). CVSS 8.5 reflects network exploitation with low complexity and changed scope impact, though real-world risk depends heavily on whether multi-tenant environments rely on this control as their primary container isolation mechanism.

Technical ContextAI

Portainer is a container management platform that mediates Docker API access through authorization proxies. The vulnerability exists in the container-create proxy path (POST /containers/create) within decorateContainerCreationOperation function in containers.go. Docker's container-create API accepts bind mount definitions through two interchangeable fields: the legacy HostConfig.Binds string array and the modern HostConfig.Mounts object array. The PartialContainer struct used to deserialize and validate incoming requests only included the Binds field, leaving Mounts completely uninspected. Both fields produce identical bind mounts at the Docker daemon runtime level, so validating only one creates a complete bypass. This is a textbook CWE-863 (Incorrect Authorization) failure where the security control checks only one of two equivalent inputs. The Swarm service-create path correctly validates TaskTemplate.ContainerSpec.Mounts, demonstrating that the vendor understood the requirement but failed to apply it consistently across API surfaces. The affected code exists in the Go codebase identified by CPE pkg:go/github.com_portainer_portainer.

RemediationAI

Upgrade immediately to Portainer 2.33.8 (for 2.33.x deployments), 2.39.2 (for 2.39.x deployments), or 2.41.0 (for 2.40.x/2.41.x deployments). All three releases include byte-equivalent fixes that add HostConfig.Mounts field validation mirroring the existing Swarm service-create logic. Release binaries and container images are available from the official Portainer GitHub releases page (https://github.com/portainer/portainer/releases). If immediate patching is impossible, implement these compensating controls with noted trade-offs: Revoke container-create permissions from all non-administrator accounts on environments where the bind-mount restriction is enabled - this breaks legitimate stack and service deployment workflows for those users until patching is complete, but closes the vulnerability surface entirely. Audit recent container creations by inspecting Docker daemon logs and running 'docker inspect' on all containers created by non-admin Portainer users since March 2026; flag any container with Type: bind entries in Mounts array for incident investigation. Migrate multi-tenant workloads to separate Portainer environments rather than relying on the per-environment bind-mount toggle, providing stronger isolation that persists after upgrade. None of these workarounds are substitutes for patching - the underlying authorization gap remains until the code fix is deployed. Versions prior to 2.33.0 are end-of-life; organizations running EOL versions must upgrade to a supported LTS branch (2.33.8 or 2.39.2 minimum).

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-44850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy