PatchSiren cyber security CVE debrief

CVE-2026-33590 Portainer CVE debrief

Insecure default settings in Portainer Community Edition (CE) allow authenticated non-administrative users with endpoint access to read host files and achieve root-equivalent code execution on the host. The vulnerability stems from overly permissive default configurations that grant regular users capabilities typically reserved for administrators.

Vendor: Portainer
Product: Portainer Community Edition
CVSS: HIGH 8.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-29
Advisory published: 2026-05-28
Advisory updated: 2026-05-29

Who should care

Organizations running Portainer CE for container orchestration with multi-user environments; security teams responsible for container platform hardening; DevOps engineers managing role-based access control for container management interfaces

Technical summary

Portainer CE's default configuration grants non-administrative users excessive privileges when endpoint access is provisioned. An authenticated attacker with these permissions can mount host filesystem paths into containers, execute commands with host-level privileges, and effectively achieve root access on the underlying host. The vulnerability is classified under CWE-276 (Incorrect Default Permissions) and carries a CVSS 4.0 score of 8.5 (HIGH severity). The attack requires network access, low privileges, and user interaction, with high impacts across confidentiality, integrity, and availability boundaries.

Defensive priority

HIGH

Recommended defensive actions

Review and restrict Portainer CE user endpoint access permissions, ensuring non-administrative users are not granted capabilities that enable host filesystem access or container runtime privileges
Audit existing Portainer CE deployments for default configurations that may over-privilege regular user accounts, particularly those with endpoint access
Apply patches from the referenced GitHub commits (3e2fdb18 and ac8fa767) once officially released by the Portainer project
Implement principle of least privilege for all Portainer CE user accounts, explicitly denying host bind mounts, privileged container creation, and host network access for non-administrative roles
Enable and review audit logging for endpoint access and container deployment activities to detect potential exploitation attempts
Consider network segmentation to limit Portainer CE administrative interfaces to authorized administrative hosts only

Evidence notes

CVE published 2026-05-28. NVD status 'Received'. Two GitHub commits (3e2fdb18, ac8fa767) and one Intwave blog post (2026-02-26) cited as references. CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, user interaction present, with high impacts across confidentiality, integrity, and availability for both the vulnerable component and subsequent systems. CWE-276 (Incorrect Default Permissions) identified.

Official resources

CVE-2026-33590 CVE record
CVE.org
CVE-2026-33590 NVD detail
NVD
Source item URL
nvd_modified
Source reference
a6d3dc9e-0591-4a13-bce7-0f5b31ff6158
Source reference
a6d3dc9e-0591-4a13-bce7-0f5b31ff6158
Source reference
a6d3dc9e-0591-4a13-bce7-0f5b31ff6158

2026-05-28