CVE-2026-44848

Name of the Vulnerable Software and Affected Versions Portainer versions 2.33.0 through 2.33.7 Portainer versions 2.39.0 through 2.39.1 Portainer versions 2.40.0 through 2.40.x Portainer versions prior to 2.33.0

Description An authorization bypass exists in the Docker API proxy layer where plugin management endpoints were not registered with a handler. This allows non-admin users with endpoint access to bypass Role-Based Access Control (RBAC) and send privileged requests directly to the Docker daemon. An authenticated user can pull an arbitrary plugin via 'POST /plugins/pull', grant it high privileges such as CAP SYS ADMIN and host-path mounts, and enable it via 'POST /plugins/{name}/enable'. Since Docker plugins execute as root on the host, this can lead to a container escape, granting the user root access to the host filesystem.

Recommendations Update Portainer versions 2.33.x to 2.33.8. Update Portainer versions 2.39.x to 2.39.2. Update Portainer versions 2.40.x to 2.41.0. Upgrade end-of-life versions prior to 2.33.0 to a supported LTS branch. As a temporary workaround, revoke Docker endpoint access for non-admin users via Portainer RBAC.