Authorization Bypass in Portainer Community Edition
CVE-2026-44884
6MEDIUM
What is CVE-2026-44884?
A missing authorization issue in Portainer Community Edition enables any authenticated user to access the content of custom template files via the endpoint for fetching custom template files. By exploiting sequential integer ID enumeration, unauthorized users can bypass Resource Control access restrictions, exposing sensitive information such as connection strings, API tokens, or registry credentials that should remain confidential. This vulnerability impacts versions 2.33.0 up to but not including 2.33.8, as well as version 2.39.1, with fixes implemented in subsequent releases.
Affected Version(s)
portainer >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
portainer >= 2.39.0, < 2.39.1 < 2.39.0, 2.39.1
