CVE-2026-44885 portainer CVE debrief

Who should care

Organizations running Portainer Community Edition 2.33.0-2.33.7 with backup restore functionality enabled; security teams managing container orchestration platforms; DevOps engineers responsible for Portainer deployments

Technical summary

The vulnerability exists in the `ExtractTarGz` function within `api/archive/targz.go`. The code uses `filepath.Clean(filepath.Join(outputDirPath, header.Name))` to determine extraction paths. While `filepath.Clean` normalizes paths, it does not enforce that the result remains within the intended output directory. A tar archive entry with a name containing `../` sequences can traverse outside the extraction root. The `filepath.Join` operation concatenates the output directory with the header name, and `filepath.Clean` resolves the `..` components, potentially resulting in a path outside the intended scope. This allows an attacker with backup restore privileges to write arbitrary files to any location on the filesystem, potentially achieving code execution by overwriting cron jobs, systemd services, or other sensitive files.

Defensive priority

medium

Recommended defensive actions

• Upgrade Portainer Community Edition to version 2.33.8 or later
• Restrict backup restore functionality to highly trusted administrative users only
• Validate backup archives in isolated environments before production restore operations
• Monitor for unexpected file modifications in system directories (e.g., /etc/cron.d/, /etc/systemd/system/)
• Review access logs for unauthorized backup restore operations

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-m8fg-67j7-cx4v and associated pull request. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) identified as root cause. Fix version 2.33.8 explicitly mentioned in advisory.

Official resources