Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations — including installing and enabling plugins — directly against the underlying Docker daemon. The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.
Published: 2026-05-28
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Portainer Community Edition had a missing authorization check for its Docker plugin endpoints (/plugins/*), allowing users who are not administrators but have endpoint access through RBAC to perform privileged plugin operations such as installing and enabling plugins directly against the Docker daemon. This flaw enables an attacker to execute arbitrary code on the host system, compromising confidentiality, integrity, and availability of the underlying infrastructure. The vulnerability is rooted in a lack of authorization control, identified by CWE‑862.

Affected Systems

Portainer Community Edition versions from 2.33.0 up to but not including 2.33.8, the 2.39.2 build, and the 2.41.0 release are affected. Any installation of these releases that exposes non‑admin roles to Docker endpoints via Portainer’s RBAC configuration is at risk.

Risk and Exploitability

The CVSS score of 9.4 signals critical severity, and although an EPSS score is not supplied, the absence of a KEV listing does not reduce the risk, as attacker effort remains low for users with endpoint access. The likely attack vector is remote interaction with the Portainer service over its web interface or API, exploiting the unauthenticated ability of standard users to invoke privileged plugin actions on the local Docker daemon.

Generated by OpenCVE AI on May 28, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of Portainer Community Edition, such as 2.33.8 or newer, 2.39.2 or newer, or 2.41.0 or newer.
  • Reconfigure RBAC so that only trusted administrators have Docker endpoint access, removing standard users from this permission set.
  • If Docker plugin functionality is not required, disable the /plugins/* endpoints entirely or restrict them to privileged roles only.

Generated by OpenCVE AI on May 28, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rrmm-9v76-h3p4 Portainer missing authorization on Docker plugin endpoints, which allows host RCE
History

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Portainer
Portainer portainer
Vendors & Products Portainer
Portainer portainer

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations — including installing and enabling plugins — directly against the underlying Docker daemon. The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.
Title Portainer: Missing authorization on Docker plugin endpoints allows host RCE
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Portainer Portainer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T21:08:17.057Z

Reserved: 2026-05-07T21:21:48.353Z

Link: CVE-2026-44848

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T22:16:58.837

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-44848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:30:28Z

Weaknesses