PatchSiren cyber security CVE debrief
CVE-2026-44883 portainer CVE debrief
Portainer Community Edition versions 2.33.0 through 2.33.7, 2.39.x before 2.39.2, and 2.41.0 are affected by an information disclosure vulnerability where JWT bearer tokens are accepted via URL query parameter (?token=<JWT>) on authenticated API endpoints. This authentication method, used by browser-based container attach, exec, and pod shell features, causes tokens to be recorded in reverse-proxy access logs, browser history, and HTTP Referer headers. Any party with access to these logs or external sites receiving Referer headers can harvest valid tokens, granting full user privileges until expiration (default 8 hours). The vulnerability exposes all users with container exec or attach rights, not only administrators.
- Vendor
- portainer
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Portainer Community Edition for container orchestration, particularly those with multi-user environments where developers or operators have container exec/attach access. Security teams responsible for authentication token handling, reverse proxy configuration, and container platform security. Compliance teams monitoring for credential exposure in logs and audit trails.
Technical summary
The vulnerability stems from Portainer's authentication middleware accepting JWT bearer tokens via the ?token=<JWT> URL query parameter in addition to the standard Authorization: Bearer header. This query parameter authentication was implemented to support browser-based WebSocket connections for container attach, exec, and pod shell features. However, URLs containing query parameters are logged by reverse proxies, stored in browser history, and transmitted in HTTP Referer headers during outbound navigation. An attacker with access to any of these locations can extract the JWT token and impersonate the affected user with full privileges until token expiration. The default token lifetime of 8 hours (configurable) extends the window of exploitation. The vulnerability affects any user with container exec or attach permissions, significantly broadening the attack surface beyond administrative accounts.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Portainer Community Edition to version 2.33.8, 2.39.2, or 2.41.0 or later
- Review reverse-proxy access logs for potential token exposure
- Rotate any potentially exposed JWT tokens
- Configure shorter token expiration periods if supported
- Audit container exec/attach permissions to limit exposure surface
- Inspect browser history and Referer header patterns for token leakage indicators
Evidence notes
Vulnerability confirmed in Portainer Community Edition. Affected versions: 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0. CVSS 4.0 vector: AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. CWE-598: Use of GET Request Method With Sensitive Query Strings.
Official resources
-
CVE-2026-44883 CVE record
CVE.org
-
CVE-2026-44883 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28