Executive Summary

This vulnerability (CVE-2026-33590) exists in Portainer Community Edition where insecure default settings grant regular (non-admin) users excessive privileges. These privileges allow such users to access the host filesystem and execute code at the host level. Specifically, an authenticated non-administrative user with endpoint access can exploit these settings to read sensitive host files or gain root-equivalent access on the host.

The root cause was default security settings that enabled regular users to perform actions like bind mounting host paths, running containers in privileged mode, accessing host devices, managing container stacks, and modifying system settings.

This issue was discovered in Portainer versions 2.33.2 and earlier and was fixed by restricting these default privileges in later versions (2.38.0 and 2.39.0).

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves insecure default settings in Portainer CE that grant regular users excessive privileges, including host filesystem access and host-level code execution. Detection involves identifying if your Portainer CE installation is running a vulnerable version (2.33.2 or earlier) and if regular users have privileges such as bind mounts, privileged mode, or host namespace access enabled.

To detect this on your system, you can check the Portainer version and review user permissions and endpoint security settings. Since the vulnerability allows reading host files like /etc/shadow, you can also monitor for unusual container activities or access attempts to sensitive host paths.

Suggested commands include:

• Check Portainer version via the UI or API to confirm if it is 2.33.2 or earlier.
• Review user roles and permissions in Portainer to identify non-admin users with endpoint access.
• Inspect container configurations for bind mounts or privileged mode enabled by regular users.
• Monitor container logs and host system logs for suspicious access to sensitive files such as /etc/shadow.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Portainer CE to version 2.38.0 (Short Term Support) or 2.39.0 (Long Term Support) or later, where the default settings have been hardened to restrict regular user privileges.

Additionally, apply resource limits to containers and review endpoint security settings to ensure that regular users cannot perform privileged actions such as bind mounts, privileged mode, or host namespace access.

If upgrading immediately is not possible, manually adjust the security settings to disable privileges for regular users that allow host filesystem access or host-level code execution.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Portainer CE allows regular (non-admin) users to gain host filesystem access and execute code at the host level, potentially leading to unauthorized access to sensitive data.

Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information.

If exploited, this vulnerability could lead to breaches of confidentiality, integrity, and availability of data, thereby violating regulatory requirements for data protection and security.

Mitigation involves upgrading to fixed versions (2.38.0 and later) that restrict regular user privileges and applying additional hardening measures to maintain compliance.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can allow a regular user with limited privileges to escalate their access to root-equivalent on the host system. This means an attacker could read sensitive files on the host, such as password hashes, or execute arbitrary code with high privileges.

Such an impact could lead to a full host compromise, data theft, unauthorized system modifications, and potentially further attacks within the network.

Useful 0 Not Useful 0