CVE-2026-44849 portainer CVE debrief

Who should care

Organizations using Portainer Community Edition to manage Docker Swarm environments with multi-user access, particularly those relying on EndpointSecuritySettings to enforce container security boundaries for non-administrative users.

Technical summary

The vulnerability exists in the Docker Swarm service API implementation within Portainer Community Edition. While the standard container creation API enforces EndpointSecuritySettings restrictions configured by administrators, the Swarm service API path lacks equivalent enforcement. This allows authenticated non-admin users to deploy services with restricted configurations including privileged containers, host PID namespace access, dangerous capabilities, and unrestricted bind mounts. The CVSS 4.0 score of 9.4 reflects the high impact potential: network-accessible attack surface, low complexity exploitation, and comprehensive compromise of confidentiality, integrity, and availability.

Defensive priority

critical

Recommended defensive actions

• Upgrade Portainer Community Edition to version 2.33.8, 2.39.2, or 2.41.0 or later
• Audit Docker Swarm services deployed by non-admin users for unauthorized privileged configurations
• Review EndpointSecuritySettings policies to ensure restrictions align with organizational security requirements
• Implement network segmentation to limit access to Portainer management interfaces
• Monitor for anomalous Swarm service deployments that may indicate exploitation attempts

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-5fxq-qcf3-244w. CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and high impact across confidentiality, integrity, and availability for both the vulnerable component and subsequent systems.

Official resources