CVE-2026-44881 portainer CVE debrief

Who should care

Organizations running Portainer Community Edition versions 2.33.0-2.33.7, 2.39.x before 2.39.2, or 2.41.0 with Git-backed stack deployment enabled; security teams managing container orchestration platforms; DevOps engineers with stack management privileges

Technical summary

The vulnerability exists in Portainer CE's Git-backed stack deployment feature. When cloning repositories, go-git v5 translates Git symlinks (mode 0o120000) to OS symlinks without adequate validation. The stack file retrieval endpoint follows these symlinks using os.ReadFile, enabling authenticated users to read arbitrary files accessible to the Portainer process by crafting malicious Git repositories with symlinked compose files.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Portainer Community Edition to version 2.33.8, 2.39.2, or 2.41.0 or later
• Restrict Git-backed stack creation and update privileges to administrative users only
• Implement repository content validation before stack deployment
• Monitor for suspicious stack creation or update activities involving external Git repositories
• Review access logs for unexpected file access patterns via the /api/stacks/{id}/file endpoint

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-rpgq-m5fp-32wr. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H. CWE-59 (Improper Link Resolution Before File Access) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identified. Fixed versions: 2.33.8, 2.39.2, 2.41.0.

Official resources