PatchSiren cyber security CVE debrief
CVE-2026-44882 portainer CVE debrief
Portainer Community Edition (CE) and Enterprise Edition (EE) contain an authorization bypass vulnerability in the Kubernetes proxy middleware (kubeClientMiddleware). Affected versions from 2.33.0 to before 2.33.8 fail to halt request processing when secondary token validation fails, causing execution to continue with a nil tokenData value. While the Kubernetes endpoints require a valid Portainer session via the AuthenticatedAccess bouncer, users lacking Kubernetes endpoint permissions can have their requests forwarded to the cluster anyway, bypassing authorization checks. The CVSS 3.1 score of 8.1 (High) reflects network attack vector, low attack complexity, low privileges required, and high impact to confidentiality and integrity. The vulnerability is fixed in version 2.33.8.
- Vendor
- portainer
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Portainer CE or EE versions 2.33.0-2.33.7 to manage Kubernetes clusters; security teams responsible for container platform access controls; DevOps engineers using Portainer for multi-tenant Kubernetes environments.
Technical summary
The kubeClientMiddleware in Portainer 2.33.0 through 2.33.x validates user tokens before proxying to Kubernetes clusters. When security.RetrieveTokenData returns an error, the middleware writes HTTP 403 but omits a return statement, allowing execution to continue into the handler with nil tokenData. Though AuthenticatedAccess requires a valid Portainer session, secondary authorization failures are ignored, permitting unauthorized Kubernetes API access. Both CE and EE codebases affected. Fixed by adding proper return statement after error response in version 2.33.8.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Portainer CE and EE installations to version 2.33.8 or later
- Review Kubernetes cluster audit logs for unauthorized access attempts from Portainer proxy paths
- Verify kubeClientMiddleware authorization enforcement in custom Portainer builds or forks
- Implement defense-in-depth by applying Kubernetes RBAC policies independent of Portainer's access controls
- Monitor for failed token validation events in Portainer application logs
Evidence notes
Vulnerability confirmed in official GitHub security advisory. CWE-863 (Incorrect Authorization) classification from advisory source. CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N matches description of network-accessible authorization bypass with session requirement but no user interaction.
Official resources
-
CVE-2026-44882 CVE record
CVE.org
-
CVE-2026-44882 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Disclosed 2026-05-28 via GitHub Security Advisory GHSA-mgq6-4x29-88r3 and NVD. Vendor fix released in Portainer 2.33.8.