CVE-2026-44849
Analyzed Analyzed - Analysis Complete
Privileged Mode Bypass in Portainer Community Edition

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts. These restrictions are enforced on the standard container creation path, but several of them are not applied on the Docker Swarm service API. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44849
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
portainer portainer From 2.33.0 (inc) to 2.33.8 (exc)
portainer portainer From 2.34.0 (inc) to 2.39.1 (exc)
portainer portainer 2.40.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Portainer Community Edition versions from 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0. Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to limit the container configurations non-admin users can launch. These restrictions include privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts.

However, while these restrictions are enforced on the standard container creation path, several of them are not applied on the Docker Swarm service API. This means that non-admin users could potentially bypass some security restrictions when creating containers via the Docker Swarm service API.

The vulnerability is fixed in versions 2.33.8, 2.39.2, and 2.41.0.

Impact Analysis

This vulnerability can allow non-admin users to bypass important security restrictions when launching containers through the Docker Swarm service API. As a result, they might run containers with elevated privileges or configurations that are normally restricted, such as privileged mode or host PID namespace access.

Such unauthorized container configurations can lead to increased risk of container escape, privilege escalation, or unauthorized access to host resources, potentially compromising the security and integrity of the containerized environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Portainer Community Edition to version 2.33.8, 2.39.2, or 2.41.0 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows non-admin users to bypass security restrictions and gain elevated privileges, including root-level access to Swarm manager hosts. Such unauthorized access and privilege escalation can lead to unauthorized data exposure, modification, or disruption of services.

Because of these risks, organizations using affected versions of Portainer may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and system integrity.

Failure to address this vulnerability could result in violations of confidentiality, integrity, and availability requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44849. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart