CVE-2026-55761
Received Received - Intake

Unauthenticated Admin Access in Portainer Community Edition

Vulnerability report for CVE-2026-55761, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, unauthenticated restore and administrator initialization endpoints (/api/restore and /api/users/admin/init) remain accessible during the five-minute setup window for uninitialized instances, allowing a network attacker to restore a crafted backup or create the first administrator account and gain full administrative access. This issue is fixed in versions 2.39.4 and 2.43.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
portainer portainer From 2.39.0 (inc) to 2.39.3 (inc)
portainer portainer From 2.40.0 (inc) to 2.43.0 (inc)
portainer portainer 2.39.4
portainer portainer 2.43.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55761 is a high-severity vulnerability in Portainer Community Edition, a platform used to manage containerized applications like Docker and Kubernetes. The vulnerability exists because two critical endpoints, /api/restore and /api/users/admin/init, remain accessible without authentication during a five-minute setup window when a new Portainer instance is uninitialized.

During this window, an attacker on the network can exploit these endpoints to either restore a malicious backup containing administrator credentials or create the first administrator account directly. This allows the attacker to gain full administrative access to the Portainer instance.

Once compromised, the attacker can control all managed Docker hosts, Kubernetes clusters, and edge agents, potentially leading to host-level compromise and unauthorized access to sensitive data.

Compliance Impact

CVE-2026-55761 allows an unauthenticated network attacker to gain full administrative access to uninitialized Portainer instances during a brief setup window by exploiting accessible restore and admin initialization endpoints. This unauthorized access can lead to full control over containerized environments, including Docker hosts and Kubernetes clusters.

Such unauthorized administrative access can result in exposure, modification, or deletion of sensitive data managed within these environments, potentially violating data protection requirements under standards like GDPR and HIPAA. The compromise of confidentiality, integrity, and availability of systems and data could lead to non-compliance with these regulations.

Mitigations introduced in fixed versions (2.39.4 and 2.43.0) include requiring a setup token for administrator initialization and restore operations, reducing the risk of unauthorized access during setup. Organizations using vulnerable versions without these mitigations may face increased compliance risks.

Impact Analysis

This vulnerability can have severe impacts including unauthorized full administrative access to your Portainer instance if exploited during the initial setup window.

  • An attacker can restore a crafted backup or create an admin account without authentication.
  • Full control over all managed container environments such as Docker hosts, Kubernetes clusters, and edge agents.
  • Potential host-level compromise and unauthorized access to sensitive data.

Mitigations include provisioning an administrator account immediately upon deployment or restricting network access to Portainer during the setup phase.

Detection Guidance

This vulnerability involves unauthenticated access to the /api/restore and /api/users/admin/init endpoints during a five-minute setup window on uninitialized Portainer instances. Detection can involve monitoring network traffic or API access attempts to these endpoints during the setup phase.

Since the vulnerability is related to unauthenticated access to specific API endpoints, one way to detect it is by checking if these endpoints are accessible without authentication on your Portainer instances, especially during initial setup.

No explicit commands are provided in the resources to detect this vulnerability. However, a common approach could be to use curl or similar tools to test access to these endpoints, for example:

  • curl -v http://<portainer-host>/api/restore
  • curl -v http://<portainer-host>/api/users/admin/init

If these endpoints respond without requiring authentication during the setup window, the instance is vulnerable.

Mitigation Strategies

Immediate mitigation steps include upgrading Portainer to a fixed version where this vulnerability is resolved, specifically versions 2.39.4 or 2.43.0 and later.

If upgrading immediately is not possible, workarounds include provisioning an administrator account at deployment time to avoid the uninitialized state and restricting network access to Portainer instances during the initial five-minute setup window to prevent unauthorized access.

Additionally, newer versions require a setup token for administrator initialization and restore operations, which can be configured via command-line flags or environment variables to enhance security.

  • Upgrade Portainer to version 2.39.4 or 2.43.0 or later.
  • Provision an admin account immediately upon deployment to avoid the vulnerable setup window.
  • Restrict network access to Portainer during the initial setup phase.
  • Use the setup token feature by configuring the --setup-token flag or environment variable to require a token for admin initialization and restore requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart