These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
Portainer Community Edition versions 2.33.0 through 2.33.7 contain a path traversal vulnerability in the backup restore feature. The `ExtractTarGz` function in `api/archive/targz.go` constructs output paths using `filepath.Clean(filepath.Join(outputDirPath, header.Name))`, which does not prevent directory traversal. A malicious `.tar.gz` archive containing entries such as `../../etc/cron.d/evil` can write [truncated]
Portainer Community Edition versions 2.33.0 through 2.33.7 and 2.39.0 contain a missing authorization vulnerability in the Custom Template file endpoint. The GET /api/custom_templates/{id}/file endpoint fails to enforce Resource Control access restrictions, allowing any authenticated user to read custom template file contents by enumerating sequential integer IDs. Custom template files may contain sensiti [truncated]
Portainer Community Edition versions 2.33.0 through 2.33.7, 2.39.x before 2.39.2, and 2.41.0 are affected by an information disclosure vulnerability where JWT bearer tokens are accepted via URL query parameter (?token=<JWT>) on authenticated API endpoints. This authentication method, used by browser-based container attach, exec, and pod shell features, causes tokens to be recorded in reverse-proxy access [truncated]
Portainer Community Edition (CE) and Enterprise Edition (EE) contain an authorization bypass vulnerability in the Kubernetes proxy middleware (kubeClientMiddleware). Affected versions from 2.33.0 to before 2.33.8 fail to halt request processing when secondary token validation fails, causing execution to continue with a nil tokenData value. While the Kubernetes endpoints require a valid Portainer session v [truncated]
Portainer Community Edition versions 2.33.0 through 2.33.7, 2.39.x before 2.39.2, and 2.41.0 contain a path traversal vulnerability via symlink following. The application uses go-git v5 to clone Git repositories for stack deployment, which creates OS-level symlinks for Git blob entries with mode 0o120000. Only .gitmodules is blocked; all other paths become symlinks without validation. The GET /api/stacks/ [truncated]
Portainer Community Edition versions 2.33.0 through 2.33.7, 2.39.x prior to 2.39.2, and 2.41.0 contain an authorization bypass vulnerability in the environment-level Disable bind mounts for non-administrators security setting. The enforcement logic only validated the legacy HostConfig.Binds array during container creation, while ignoring the equivalent HostConfig.Mounts array. An authenticated non-adminis [truncated]
Portainer Community Edition versions 2.33.0 through 2.33.7, 2.39.x prior to 2.39.2, and 2.41.0 contain a critical authorization bypass vulnerability. The platform's EndpointSecuritySettings feature allows administrators to restrict container configurations for non-admin users across seven categories: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp/AppArmor [truncated]
Portainer Community Edition versions 2.33.0 through 2.33.7, 2.39.x prior to 2.39.2, and 2.41.0 contain a critical authorization bypass in Docker plugin management. The `/plugins/*` endpoints were not registered with an access-control handler, allowing standard users with endpoint access to invoke privileged plugin operations—including installation and enabling—directly against the underlying Docker daemon [truncated]
Insecure default settings in Portainer Community Edition (CE) allow authenticated non-administrative users with endpoint access to read host files and achieve root-equivalent code execution on the host. The vulnerability stems from overly permissive default configurations that grant regular users capabilities typically reserved for administrators.
