Warning: Two Critical Vulnerabilities in Portainer Allow Full Host Takeover, Patch Immediately!

• Last update: 19/05/2026
• Affected software:
  → Portainer versions 2.33.0–2.33.7, 2.39.0–2.39.1 and 2.40
• Type: Remote Code Execution, Privilege Escalation, Security Policy Bypass
• CVE/CVSS
  → CVE-2026-44848: CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
  → CVE-2026-44849: CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Sources

GitHub - https://github.com/advisories/GHSA-rrmm-9v76-h3p4
GitHub - https://github.com/advisories/GHSA-5fxq-qcf3-244w

Risks

Portainer is a web-based management interface for Docker and Kubernetes environments used across DevOps pipelines, cloud platforms, and self-hosted infrastructure. It provides Role-Based Access Control (RBAC) to allow non-admin users to interact with Docker endpoints within defined permission boundaries.

Both vulnerabilities are missing authorization checks in the Docker API proxy layer. An authenticated non-admin user with access to a Docker or Swarm endpoint can exploit them to perform privileged operations on the Docker host. The required access level, endpoint-level access for a standard Portainer user, is a common configuration in multi-user deployments.

No public proof-of-concept exploit code has been confirmed at the time of this advisory. Both vulnerabilities require only standard Docker API calls to affected endpoints.

Description

Portainer enforces Role-Based Access Control (RBAC) on top of the Docker API via a proxy layer that routes requests to per-resource handlers, each applying authorization checks before forwarding to the Docker daemon. Two independent flaws in this layer allow non-admin users to bypass those checks.

CVE-2026-44848 - Missing Authorization on Docker Plugin Endpoints

The Docker plugin management endpoints (/plugins/*) are absent from Portainer’s proxy authorization handler map, causing all requests to those endpoints to be forwarded directly to the Docker daemon without any access control check.

A non-admin user with endpoint access can send a POST /plugins/pull request to install any plugin from any registry, then POST /plugins/{name}/enable to activate it.

Docker runs enabled plugins as root on the host with the capabilities and mounts they declare, giving the user code execution at the OS level of the Docker host.

CVE-2026-44849 - Swarm Service Create/Update Security Policy Bypass

Portainer’s seven EndpointSecuritySettings restrictions are not consistently enforced on Swarm service endpoints: POST /services/create validates only the Mounts[] field (1 of 7 checks), and POST /services/{id}/update performs no security settings inspection at all.

This allows a non-admin user to submit service requests with arbitrary CapabilityAdd, CapabilityDrop, Sysctls, and Privileges values regardless of the administrator’s configured policy.

An additional bypass exists via volume driver options: a mount declared as Type: “volume” with VolumeOptions.DriverConfig.Options {type: none, o: bind, device: } passes the bind-mount restriction check and is materialised as a bind-equivalent mount by the local driver, also applicable via POST /volumes/create.

By combining elevated capabilities with a host path bind mount, a non-admin user can access the host filesystem from within a running container, overriding the security boundaries the administrator has configured.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.