CVE-2026-44885

Name of the Vulnerable Software and Affected Versions Portainer Community Edition versions prior to 2.39.0

Description The backup restore feature accepts a .tar.gz archive and extracts it to a target directory on the server. The extraction function ExtractTarGz() in api/archive/targz.go constructs output paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)), which fails to prevent directory traversal. A crafted archive containing entries such as ../../etc/cron.d/evil can resolve to paths outside the extraction root, allowing an attacker with administrator access to write files to arbitrary locations on the server filesystem. This can lead to arbitrary file writes at any path accessible to the Portainer process and potential host persistence by writing to cron directories, SSH authorized key files, or executable paths.

Recommendations Update to version 2.39.0 or later. Update to version 2.33.8 for those using the 2.33.x LTS branch. Only restore archives from trusted sources and avoid archives from untrusted parties or unencrypted channels. Use backup encryption to ensure that only those with the correct passphrase can provide a valid archive for extraction.