CVE-2026-44885
Path Traversal in Portainer Community Edition
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portainer | community_edition | From 2.33.0 (inc) to 2.33.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows arbitrary file write on the server hosting Portainer, potentially leading to unauthorized modification of critical system files. Such unauthorized modifications can compromise system integrity and security controls.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to write arbitrary files outside the intended directory could lead to breaches of data protection and security requirements mandated by these regulations.
Specifically, if an attacker exploits this vulnerability to alter or persist malicious files on the host, it could result in unauthorized access or data manipulation, which may violate regulatory requirements for data integrity, confidentiality, and system security.
Can you explain this vulnerability to me?
This vulnerability exists in Portainer Community Edition versions from 2.33.0 to before 2.33.8 in the backup restore feature. When restoring from a .tar.gz archive, the extraction function does not properly prevent directory traversal attacks. Specifically, it constructs output paths in a way that allows a crafted archive to include entries with paths like "../../etc/cron.d/evil", which resolve outside the intended extraction directory. This means an attacker can write files to arbitrary locations on the server filesystem.
How can this vulnerability impact me? :
The vulnerability allows an attacker with access to the backup restore feature to write files to arbitrary locations on the server. This can lead to unauthorized modification of system files or configuration, potentially resulting in privilege escalation or disruption of service. The CVSS score indicates a low attack complexity but requires high privileges, and the impact is high on integrity and low on availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Portainer Community Edition to version 2.33.8 or later, where the directory traversal issue in the backup restore feature has been fixed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a path traversal issue in Portainer's backup restore feature that allows crafted .tar.gz archives to write files outside the intended extraction directory. Detection requires monitoring or inspecting backup restore operations for suspicious archive contents.
Since exploitation requires administrator access to Portainer's backup restore endpoint, one way to detect potential exploitation is to audit logs for unexpected or unauthorized backup restore actions.
To detect malicious archives, you can manually inspect .tar.gz backup files for entries with directory traversal patterns such as "../../" in their file paths before restoring them.
- Use the command `tar -tzf backup.tar.gz | grep '\.\./'` to list files in the archive that contain directory traversal sequences.
- Check Portainer server logs for backup restore requests and verify if any unusual or unauthorized restore operations occurred.
- Monitor filesystem changes after backup restore operations to detect unexpected file writes outside the intended directories.