CVE-2026-44849

HIGH

Portainer: Endpoint security bypass via Swarm service create/update

Title source: cna

Description

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts. These restrictions are enforced on the standard container creation path, but several of them are not applied on the Docker Swarm service API. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/portainer/portainer/security/advisories/GHSA-5fxq-qcf3-244w

Scores

CVSS v3 8.8

EPSS 0.0030

EPSS Percentile 21.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-862

Status published

Products (8)

portainer/portainer 2.40.0

portainer/portainer 2.33.0 - 2.33.8

portainer/portainer 2.33.0 - 2.33.8Go

portainer/portainer 2.39.0 - 2.39.2Go

portainer/portainer 2.40.0 - 2.41.0Go

portainer/portainer >= 2.33.0, < 2.33.8

portainer/portainer >= 2.39.0, < 2.39.2

portainer/portainer >= 2.40.0, < 2.41.0

Published May 28, 2026

Tracked Since May 29, 2026