CVE-2026-44885
Undergoing Analysis Undergoing Analysis - In Progress
Path Traversal in Portainer Community Edition

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, Portainer's backup restore feature accepts a .tar.gz archive and extracts it to a target directory on the server. The extraction function (ExtractTarGz in api/archive/targz.go) constructed output paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)). This combination does not prevent directory traversal β€” a tar entry named ../../etc/cron.d/evil resolves to a path outside the extraction root, so a crafted archive can write files to arbitrary locations on the server filesystem. This vulnerability is fixed in 2.33.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44885
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
portainer portainer From 2.33.0 (inc) to 2.33.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows arbitrary file write on the server hosting Portainer, potentially leading to unauthorized modification of critical system files. Such unauthorized modifications can compromise system integrity and security controls.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to write arbitrary files outside the intended directory could lead to breaches of data protection and security requirements mandated by these regulations.

Specifically, if an attacker exploits this vulnerability to alter or persist malicious files on the host, it could result in unauthorized access or data manipulation, which may violate regulatory requirements for data integrity, confidentiality, and system security.

Executive Summary

This vulnerability exists in Portainer Community Edition versions from 2.33.0 to before 2.33.8 in the backup restore feature. When restoring from a .tar.gz archive, the extraction function does not properly prevent directory traversal attacks. Specifically, it constructs output paths in a way that allows a crafted archive to include entries with paths like "../../etc/cron.d/evil", which resolve outside the intended extraction directory. This means an attacker can write files to arbitrary locations on the server filesystem.

Impact Analysis

The vulnerability allows an attacker with access to the backup restore feature to write files to arbitrary locations on the server. This can lead to unauthorized modification of system files or configuration, potentially resulting in privilege escalation or disruption of service. The CVSS score indicates a low attack complexity but requires high privileges, and the impact is high on integrity and low on availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade Portainer Community Edition to version 2.33.8 or later, where the directory traversal issue in the backup restore feature has been fixed.

Detection Guidance

This vulnerability involves a path traversal issue in Portainer's backup restore feature that allows crafted .tar.gz archives to write files outside the intended extraction directory. Detection requires monitoring or inspecting backup restore operations for suspicious archive contents.

Since exploitation requires administrator access to Portainer's backup restore endpoint, one way to detect potential exploitation is to audit logs for unexpected or unauthorized backup restore actions.

To detect malicious archives, you can manually inspect .tar.gz backup files for entries with directory traversal patterns such as "../../" in their file paths before restoring them.

  • Use the command `tar -tzf backup.tar.gz | grep '\.\./'` to list files in the archive that contain directory traversal sequences.
  • Check Portainer server logs for backup restore requests and verify if any unusual or unauthorized restore operations occurred.
  • Monitor filesystem changes after backup restore operations to detect unexpected file writes outside the intended directories.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart