Authorization Bypass in Portainer Community Edition
CVE-2026-44884

6MEDIUM

Key Information:

Vendor

Portainer

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-44884?

A missing authorization issue in Portainer Community Edition enables any authenticated user to access the content of custom template files via the endpoint for fetching custom template files. By exploiting sequential integer ID enumeration, unauthorized users can bypass Resource Control access restrictions, exposing sensitive information such as connection strings, API tokens, or registry credentials that should remain confidential. This vulnerability impacts versions 2.33.0 up to but not including 2.33.8, as well as version 2.39.1, with fixes implemented in subsequent releases.

Affected Version(s)

portainer >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

portainer >= 2.39.0, < 2.39.1 < 2.39.0, 2.39.1

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.