CVE-2026-44849

Name of the Vulnerable Software and Affected Versions Portainer Community Edition versions 2.33.0 through 2.33.7 Portainer Community Edition versions 2.39.0 through 2.39.1 Portainer Community Edition versions 2.40.0 through 2.40.x Portainer Community Edition versions prior to 2.33.0

Description Portainer fails to properly enforce EndpointSecuritySettings restrictions on the Docker Swarm service API, allowing non-admin users with Swarm endpoint access to bypass security policies. While restrictions on privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts are enforced during standard container creation, they are not consistently applied to Swarm services.

Technical details include:

An attacker can use these flaws to gain elevated Linux capabilities (e.g., CAP SYS ADMIN), disable syscall filtering or AppArmor, and create bind mounts of host paths (such as /), potentially achieving root access on the Swarm manager host.

Recommendations Update Portainer Community Edition versions 2.33.0 through 2.33.7 to 2.33.8. Update Portainer Community Edition versions 2.39.0 through 2.39.1 to 2.39.2. Update Portainer Community Edition versions 2.40.0 through 2.40.x to 2.41.0. Upgrade all versions prior to 2.33.0 to a supported LTS branch. As a temporary workaround, revoke Swarm endpoint access for non-admin users via Portainer RBAC. Segregate manager and worker nodes using placement constraints to prevent user workloads from running on manager nodes. Block the creation of local-driver volumes that use type: none and o: bind on untrusted endpoints via a daemon-side allowlist.