CVE-2026-44882

Name of the Vulnerable Software and Affected Versions portainer-ce versions 2.33.0 through 2.33.7 portainer-ce-agent versions 2.33.0 through 2.33.7

Description An authorization bypass exists in the middleware layer kubeClientMiddleware within the api/http/handler/kubernetes/handler.go file. The middleware validates user tokens before forwarding traffic to Kubernetes clusters; however, when the security.RetrieveTokenData() function returns an error, the system writes an HTTP 403 response but fails to stop execution. This allows the request to proceed to the handler with a nil tokenData value, bypassing authorization checks. An attacker with a valid Portainer session can use this flaw to read or modify Kubernetes resources, such as pods, secrets, config maps, and deployments, on target endpoints that their role should not permit. This could potentially lead to lateral movement if sensitive credentials are recovered from Kubernetes secrets.

Recommendations Update portainer-ce to version 2.33.8. Update portainer-ce-agent to version 2.33.8. Restrict Kubernetes endpoint access by removing access for users who do not require it. Audit Kubernetes RBAC to ensure the service account used by Portainer follows the principle of least privilege.