CVE-2026-33590
Portainer CE Insecure Default Privileges Allow Host Access
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portainer | portainer_ce | * |
| portainer | portainer | to 2.38.0 (exc) |
| portainer | portainer | From 2.38.0 (inc) |
| portainer | portainer | From 2.39.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability (CVE-2026-33590) exists in Portainer Community Edition where insecure default settings grant regular (non-admin) users excessive privileges. These privileges allow such users to access the host filesystem and execute code at the host level. Specifically, an authenticated non-administrative user with endpoint access can exploit these settings to read sensitive host files or gain root-equivalent access on the host.
The root cause was default security settings that enabled regular users to perform actions like bind mounting host paths, running containers in privileged mode, accessing host devices, managing container stacks, and modifying system settings.
This issue was discovered in Portainer versions 2.33.2 and earlier and was fixed by restricting these default privileges in later versions (2.38.0 and 2.39.0).
How can this vulnerability impact me? :
If exploited, this vulnerability can allow a regular user with limited privileges to escalate their access to root-equivalent on the host system. This means an attacker could read sensitive files on the host, such as password hashes, or execute arbitrary code with high privileges.
Such an impact could lead to a full host compromise, data theft, unauthorized system modifications, and potentially further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insecure default settings in Portainer CE that grant regular users excessive privileges, including host filesystem access and host-level code execution. Detection involves identifying if your Portainer CE installation is running a vulnerable version (2.33.2 or earlier) and if regular users have privileges such as bind mounts, privileged mode, or host namespace access enabled.
To detect this on your system, you can check the Portainer version and review user permissions and endpoint security settings. Since the vulnerability allows reading host files like /etc/shadow, you can also monitor for unusual container activities or access attempts to sensitive host paths.
Suggested commands include:
- Check Portainer version via the UI or API to confirm if it is 2.33.2 or earlier.
- Review user roles and permissions in Portainer to identify non-admin users with endpoint access.
- Inspect container configurations for bind mounts or privileged mode enabled by regular users.
- Monitor container logs and host system logs for suspicious access to sensitive files such as /etc/shadow.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Portainer CE to version 2.38.0 (Short Term Support) or 2.39.0 (Long Term Support) or later, where the default settings have been hardened to restrict regular user privileges.
Additionally, apply resource limits to containers and review endpoint security settings to ensure that regular users cannot perform privileged actions such as bind mounts, privileged mode, or host namespace access.
If upgrading immediately is not possible, manually adjust the security settings to disable privileges for regular users that allow host filesystem access or host-level code execution.