Portainer
Monthly
Authentication bypass in Portainer Community Edition (2.39.0-2.39.3 and 2.40.0 through 2.42.x) lets an unauthenticated network attacker seize full administrative control of a freshly deployed, uninitialized instance. During the five-minute post-deployment setup window the /api/restore and /api/users/admin/init endpoints stay reachable without credentials, so an attacker who wins the race can create the first admin account or restore a crafted backup and take over the platform along with every Docker, Swarm, Kubernetes and ACI environment it manages. No public exploit identified at time of analysis and it is not on CISA KEV, but the fix is available in 2.39.4 and 2.43.0.
Privilege escalation in Portainer Community Edition stems from permissive default endpoint security settings that grant non-admin users with endpoint access the ability to create containers with bind mounts, privileged mode, host namespaces, device mappings, sysctl settings, and Linux capabilities. An authenticated low-privilege user can leverage these defaults to read arbitrary host files or break out of the container boundary to achieve root-equivalent code execution on the Docker host. Publicly available exploit code exists per CVSS v4.0 threat metrics (E:P), but the issue is not listed in CISA KEV.
Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Portainer before 2.20.0 allows redirects when the target is not index.yaml. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.
A user enumeration vulnerability was found in Portainer CE 2.19.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Portainer before 1.22.1 has XSS (issue 2 of 2). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer before 1.22.1 has Incorrect Access Control (issue 4 of 4). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer before 1.22.1 allows Directory Traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4). Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer before 1.22.1 has Incorrect Access Control (issue 2 of 4). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer before 1.22.1 has XSS (issue 1 of 2). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.
Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Authentication bypass in Portainer Community Edition (2.39.0-2.39.3 and 2.40.0 through 2.42.x) lets an unauthenticated network attacker seize full administrative control of a freshly deployed, uninitialized instance. During the five-minute post-deployment setup window the /api/restore and /api/users/admin/init endpoints stay reachable without credentials, so an attacker who wins the race can create the first admin account or restore a crafted backup and take over the platform along with every Docker, Swarm, Kubernetes and ACI environment it manages. No public exploit identified at time of analysis and it is not on CISA KEV, but the fix is available in 2.39.4 and 2.43.0.
Privilege escalation in Portainer Community Edition stems from permissive default endpoint security settings that grant non-admin users with endpoint access the ability to create containers with bind mounts, privileged mode, host namespaces, device mappings, sysctl settings, and Linux capabilities. An authenticated low-privilege user can leverage these defaults to read arbitrary host files or break out of the container boundary to achieve root-equivalent code execution on the Docker host. Publicly available exploit code exists per CVSS v4.0 threat metrics (E:P), but the issue is not listed in CISA KEV.
Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Portainer before 2.20.0 allows redirects when the target is not index.yaml. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.
A user enumeration vulnerability was found in Portainer CE 2.19.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Portainer before 1.22.1 has XSS (issue 2 of 2). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer before 1.22.1 has Incorrect Access Control (issue 4 of 4). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer before 1.22.1 allows Directory Traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4). Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer before 1.22.1 has Incorrect Access Control (issue 2 of 4). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer before 1.22.1 has XSS (issue 1 of 2). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.
Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.