Scanpwn

**Name of the Vulnerable Software and Affected Versions** Portainer Community Edition versions 2.33.0 through 2.33.7 Portainer Community Edition versions 2.39.0 through 2.39.1 Portainer Community Edition versions prior to 2.41.0 **Description** The authentication middleware accepts JSON Web Tokens (JWT) passed as the `token` URL query parameter on any authenticated API endpoint, in addition to the standard Authorization header. Because URLs are recorded in browser history, reverse-proxy access logs, and HTTP Referer headers during outbound navigation, these tokens can be harvested by unauthorized parties. A leaked token grants the full privileges of the associated user until it expires. This issue specifically affects users with exec or attach rights on containers, including administrators, through the browser-based container attach, exec, and pod shell features. The vulnerable function `extractBearerToken()` in `api/http/security/bouncer.go` was responsible for reading the JWT from the query parameter. **Recommendations** Update to version 2.33.8 for the 2.33.x branch. Update to version 2.39.2 for the 2.39.x branch. Update to version 2.41.0 for the 2.40.x branch and other affected versions. As a temporary workaround, configure a rewrite rule in the reverse proxy (such as nginx or Traefik) to strip the `token` query parameter before requests reach the application. Reduce the JWT session timeout in settings to shorten the exposure window for issued tokens. Reset passwords for users whose tokens may have been captured in logs to invalidate their sessions.