PatchSiren cyber security CVE debrief
CVE-2026-44850 portainer CVE debrief
Portainer Community Edition versions 2.33.0 through 2.33.7, 2.39.x prior to 2.39.2, and 2.41.0 contain an authorization bypass vulnerability in the environment-level Disable bind mounts for non-administrators security setting. The enforcement logic only validated the legacy HostConfig.Binds array during container creation, while ignoring the equivalent HostConfig.Mounts array. An authenticated non-administrative user with container creation rights could bypass the restriction by submitting a bind-typed mount through HostConfig.Mounts, enabling arbitrary host path mounting into containers. This flaw allows container escape and host filesystem access in environments where the bind mount restriction was explicitly enabled as a security control. The vulnerability is resolved in versions 2.33.8, 2.39.2, and 2.41.0.
- Vendor
- portainer
- Product
- Unknown
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations using Portainer Community Edition to provide self-service container management to non-administrative users, particularly multi-tenant environments or platforms offering containerized development environments to external users. Security teams relying on Portainer's Disable bind mounts for non-administrators setting as a compensating control for container isolation should prioritize patching.
Technical summary
The vulnerability exists in Portainer's API proxy layer for Docker container creation. When processing container create requests, the security check for the Disable bind mounts for non-administrators setting only inspected HostConfig.Binds, the legacy Docker API field for bind mounts. The modern equivalent field, HostConfig.Mounts, which supports type: bind specifications, was not subject to the same validation. This incomplete input validation (CWE-863) allowed authenticated users to circumvent the security control by structuring bind mount requests using the Mounts array format instead of the Binds array format. The issue affects Docker environment management within Portainer CE and could lead to container escape scenarios where attackers gain read or write access to sensitive host paths including the Docker socket, configuration files, or other containers' filesystems.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Portainer Community Edition to version 2.33.8, 2.39.2, or 2.41.0 or later
- Verify that the Disable bind mounts for non-administrators setting is enabled after upgrade
- Audit container creation logs for non-administrative users who created containers with bind mounts between affected version deployment and patch application
- Review and restrict container creation permissions to only trusted users where possible
- Monitor for anomalous host filesystem access from containers in affected environments
- Validate that any custom API clients or automation tools use HostConfig.Binds rather than HostConfig.Mounts for bind mount operations to ensure policy enforcement
Evidence notes
Vulnerability description and affected version ranges derived from official CVE record and GitHub Security Advisory. CVSS 3.1 vector confirms network attack vector with low attack complexity, low privileges required, and scope change indicating impact beyond the vulnerable component.
Official resources
-
CVE-2026-44850 CVE record
CVE.org
-
CVE-2026-44850 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28