CVE-2026-44849
Privileged Mode Bypass in Portainer Community Edition
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portainer | community_edition | From 2.33.0 (inc) to 2.33.8 (exc) |
| portainer | community_edition | 2.39.2 |
| portainer | community_edition | 2.41.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Portainer Community Edition versions from 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0. Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to limit the container configurations non-admin users can launch. These restrictions include privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts.
However, while these restrictions are enforced on the standard container creation path, several of them are not applied on the Docker Swarm service API. This means that non-admin users could potentially bypass some security restrictions when creating containers via the Docker Swarm service API.
The vulnerability is fixed in versions 2.33.8, 2.39.2, and 2.41.0.
How can this vulnerability impact me? :
This vulnerability can allow non-admin users to bypass important security restrictions when launching containers through the Docker Swarm service API. As a result, they might run containers with elevated privileges or configurations that are normally restricted, such as privileged mode or host PID namespace access.
Such unauthorized container configurations can lead to increased risk of container escape, privilege escalation, or unauthorized access to host resources, potentially compromising the security and integrity of the containerized environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Portainer Community Edition to version 2.33.8, 2.39.2, or 2.41.0 or later, where the issue has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows non-admin users to bypass security restrictions and gain elevated privileges, including root-level access to Swarm manager hosts. Such unauthorized access and privilege escalation can lead to unauthorized data exposure, modification, or disruption of services.
Because of these risks, organizations using affected versions of Portainer may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and system integrity.
Failure to address this vulnerability could result in violations of confidentiality, integrity, and availability requirements mandated by these regulations.