Gustavo Lichti

**Name of the Vulnerable Software and Affected Versions** Portainer versions prior to 1.19.3 **Description** The issue allows attackers to set an admin password under certain conditions. Specifically, it involves the API endpoint "/api/users/admin/check" which checks if the admin user is already created. If the admin user was not created, this endpoint returns a 404 status code, and if the admin user was already created, it returns a 204 status code. Attackers can exploit the 404 case to set an admin password. **Recommendations** For Portainer versions prior to 1.19.3, as a temporary workaround, consider restricting access to the "/api/users/admin/check" API endpoint until a patch is available. Avoid using this endpoint to verify admin user creation until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.