Vulnerability in Portainer Community Edition Authentication Middleware
CVE-2026-44883

7.7HIGH

Key Information:

Vendor

Portainer

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-44883?

A flaw in the Portainer Community Edition allows JWT bearer tokens to be passed via URL query parameters, exposing sensitive authentication tokens that can be logged in reverse-proxy access logs, browser history, and HTTP Referer headers. This security issue affects versions prior to 2.33.8, 2.39.2, and 2.41.0, and can lead to unauthorized access as any user with an active token can potentially access full privileges until expiration. Users with exec or attach rights on containers are particularly at risk, necessitating prompt upgrading to the patched versions.

Affected Version(s)

portainer >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

portainer >= 2.39.0, < 2.39.2 < 2.39.0, 2.39.2

portainer >= 2.40.0, < 2.41.0 < 2.40.0, 2.41.0

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.