Privilege Escalation in Portainer Community Edition Affecting Docker Management
CVE-2026-44848
What is CVE-2026-44848?
In the Portainer Community Edition, a significant vulnerability allows standard users with endpoint access to call privileged plugin operations directly on the Docker daemon. This issue affects versions from 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, enabling unauthorized access to install and enable plugins by non-admin users with specific permissions. The vulnerability can be exploited when a standard user is granted access to a Docker endpoint through Portainer's Role-Based Access Control (RBAC). The issue has been addressed in the subsequent versions 2.33.8, 2.39.2, and 2.41.0. For more details, visit the official advisory.
Affected Version(s)
portainer >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
portainer >= 2.39.0, < 2.39.2 < 2.39.0, 2.39.2
portainer >= 2.40.0, < 2.41.0 < 2.40.0, 2.41.0
