Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts. These restrictions are enforced on the standard container creation path, but several of them are not applied on the Docker Swarm service API. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.
Published: 2026-05-28
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Portainer Community Edition failed to enforce the configured EndpointSecuritySettings on the Docker Swarm service creation and update API. The restrictions that normally prevent non‑admin users from launching containers in privileged mode, with host PID namespaces, device mappings, additional capabilities, sysctls, security‑opt profiles, and bind mounts were ignored for services managed via Swarm. This flaw allows a user with permission to create or update a Swarm service to launch a container that bypasses these controls and gains elevated privileges on the host, potentially exposing confidential data, modifying system integrity, or disrupting availability. The weakness is a classic missing authorization error (CWE‑862).

Affected Systems

Portainer Community Edition versions from 2.33.0 through 2.33.7, and all releases prior to 2.39.2 and prior to 2.41.0, are affected. The security fixes are included in 2.33.8, 2.39.2, and 2.41.0 and later. The vulnerability specifically applies to deployments that use Docker Swarm mode and rely on Portainer for service creation.

Risk and Exploitability

The CVSS score of 9.4 indicates a critical severity, with no exploitable public resources reported and the EPSS score not available. The flaw is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending legitimate Swarm service create or update requests through the Portainer UI or API, provided they have the necessary permissions. The vulnerability requires no network-facing exploitation; it only needs an authenticated role that can interact with the Swarm service API. Because the flaw bypasses security restrictions, the attacker can achieve full control over the host, representing a high-impact privilege escalation.

Generated by OpenCVE AI on May 28, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Portainer to a patched version (2.33.8, 2.39.2, 2.41.0, or later).
  • Restrict user permissions so that only trusted administrators can create or update Docker Swarm services. Remediate by tightening role‑based access control.
  • Audit service creation and update operations, and enforce additional checks or scripts to ensure EndpointSecuritySettings are applied to Swarm services.

Generated by OpenCVE AI on May 28, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5fxq-qcf3-244w Portainer has an endpoint security bypass via Swarm service create/update
History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Portainer
Portainer portainer
Vendors & Products Portainer
Portainer portainer

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts. These restrictions are enforced on the standard container creation path, but several of them are not applied on the Docker Swarm service API. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.
Title Portainer: Endpoint security bypass via Swarm service create/update
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Portainer Portainer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T13:55:06.837Z

Reserved: 2026-05-07T21:21:48.353Z

Link: CVE-2026-44849

cve-icon Vulnrichment

Updated: 2026-05-29T13:55:01.267Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T22:16:58.973

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-44849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T23:00:16Z

Weaknesses