CVE-2026-44882
Analyzed Analyzed - Analysis Complete
Kubernetes Authorization Bypass in Portainer Community Edition

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer (kubeClientMiddleware) that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missing a return statement β€” execution continued into the handler with a nil tokenData value. The Kubernetes endpoints sit behind Portainer's outer AuthenticatedAccess bouncer, so an attacker requires a valid Portainer session. However, a user whose secondary token validation fails in kubeClientMiddleware β€” for example a user without permission to access a given Kubernetes endpoint β€” would have their request forwarded to the cluster anyway, bypassing the authorization check. The same defect was present in both the CE and EE codebases. This vulnerability is fixed in 2.33.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44882
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
portainer portainer From 2.33.0 (inc) to 2.33.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows low-privileged users with valid Portainer sessions to bypass authorization checks and access Kubernetes endpoints they are not authorized to reach. This unauthorized access can lead to reading or modifying sensitive cluster resources such as pods, secrets, or deployments.

Such unauthorized access and potential exposure or modification of sensitive data could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of confidential information.

Detection Guidance

This vulnerability exists in Portainer versions 2.33.0 through 2.33.7 where the Kubernetes middleware improperly processes requests after token validation fails, allowing unauthorized access to Kubernetes endpoints.

To detect if your system is vulnerable, first verify the Portainer version running in your environment. If it is between 2.33.0 and 2.33.7, your system is potentially affected.

You can check the Portainer version by running the following command on the host where Portainer is installed:

  • docker ps --filter "name=portainer" --format "{{.Image}}"
  • docker exec -it <portainer_container_id_or_name> portainer --version

Additionally, monitoring HTTP 403 responses from Portainer's Kubernetes endpoints followed by unexpected successful access attempts could indicate exploitation attempts. However, no specific detection commands or signatures are provided in the available resources.

The recommended mitigation is to upgrade Portainer to version 2.33.8 or later.

Executive Summary

This vulnerability exists in Portainer Community Edition versions from 2.33.0 up to but not including 2.33.8. Portainer uses a middleware layer called kubeClientMiddleware to proxy requests to Kubernetes clusters and validate user tokens before forwarding traffic. However, when the token validation function security.RetrieveTokenData returned an error, the middleware responded with an HTTP 403 error but failed to stop execution. As a result, the request continued with a nil tokenData value, causing the authorization check to be bypassed.

This means that a user with a valid Portainer session but without permission to access certain Kubernetes endpoints could still have their requests forwarded to the cluster, effectively bypassing the intended authorization controls.

The issue affected both the Community Edition and Enterprise Edition codebases and was fixed in version 2.33.8.

Impact Analysis

This vulnerability can allow an attacker who has a valid Portainer session but lacks proper permissions to access certain Kubernetes endpoints to bypass authorization checks and interact with those endpoints anyway.

The impact includes unauthorized access to Kubernetes cluster resources, which can lead to exposure or modification of sensitive data and potentially compromise the integrity of containerized applications managed through Portainer.

According to the CVSS score of 8.1, the vulnerability is considered high severity, with high impact on confidentiality and integrity but no impact on availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Portainer Community Edition to version 2.33.8 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44882. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart