Symlink Vulnerability in Portainer Community Edition Affects Docker and Kubernetes Management
CVE-2026-44881
What is CVE-2026-44881?
Portainer Community Edition is a platform used for managing containerized applications, including those in Docker, Swarm, Kubernetes, and ACI environments. Versions from 2.33.0 to prior to 2.33.8, 2.39.2, and 2.41.0 have a vulnerability where symlink handling during the deployment of Git-backed stacks allows unauthorized users to access sensitive filesystem paths. This occurs because while the .gitmodules file is blocked from symlink conversion, other Git blob entries are not validated, creating a risk of exposing arbitrary files to any authenticated user who can create or update stacks. This issue has been patched in versions 2.33.8, 2.39.2, and 2.41.0.
Affected Version(s)
portainer >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
portainer >= 2.39.0, < 2.39.2 < 2.39.0, 2.39.2
portainer >= 2.40.0, < 2.41.0 < 2.40.0, 2.41.0
