Symlink Vulnerability in Portainer Community Edition Affects Docker and Kubernetes Management
CVE-2026-44881

8.5HIGH

Key Information:

Vendor

Portainer

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-44881?

Portainer Community Edition is a platform used for managing containerized applications, including those in Docker, Swarm, Kubernetes, and ACI environments. Versions from 2.33.0 to prior to 2.33.8, 2.39.2, and 2.41.0 have a vulnerability where symlink handling during the deployment of Git-backed stacks allows unauthorized users to access sensitive filesystem paths. This occurs because while the .gitmodules file is blocked from symlink conversion, other Git blob entries are not validated, creating a risk of exposing arbitrary files to any authenticated user who can create or update stacks. This issue has been patched in versions 2.33.8, 2.39.2, and 2.41.0.

Affected Version(s)

portainer >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

portainer >= 2.39.0, < 2.39.2 < 2.39.0, 2.39.2

portainer >= 2.40.0, < 2.41.0 < 2.40.0, 2.41.0

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.