Privilege Escalation in Portainer Community Edition Affecting Docker Management
CVE-2026-44848

9.4CRITICAL

Key Information:

Vendor

Portainer

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-44848?

In the Portainer Community Edition, a significant vulnerability allows standard users with endpoint access to call privileged plugin operations directly on the Docker daemon. This issue affects versions from 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, enabling unauthorized access to install and enable plugins by non-admin users with specific permissions. The vulnerability can be exploited when a standard user is granted access to a Docker endpoint through Portainer's Role-Based Access Control (RBAC). The issue has been addressed in the subsequent versions 2.33.8, 2.39.2, and 2.41.0. For more details, visit the official advisory.

Affected Version(s)

portainer >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

portainer >= 2.39.0, < 2.39.2 < 2.39.0, 2.39.2

portainer >= 2.40.0, < 2.41.0 < 2.40.0, 2.41.0

References

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.