Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer (kubeClientMiddleware) that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missing a return statement — execution continued into the handler with a nil tokenData value. The Kubernetes endpoints sit behind Portainer's outer AuthenticatedAccess bouncer, so an attacker requires a valid Portainer session. However, a user whose secondary token validation fails in kubeClientMiddleware — for example a user without permission to access a given Kubernetes endpoint — would have their request forwarded to the cluster anyway, bypassing the authorization check. The same defect was present in both the CE and EE codebases. This vulnerability is fixed in 2.33.8.
Published: 2026-05-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies within the kubeClientMiddleware of Portainer Community and Enterprise editions. When a token validation error occurs, the middleware emits a 403 response but fails to halt execution, allowing the request to reach the Kubernetes handler with a nil tokenData. Because the outer AuthenticatedAccess gate only verifies that the user has a valid Portainer session, an attacker who forces secondary token validation to fail—such as a user lacking permission for a particular Kubernetes endpoint—can still proxy that request to the cluster. The result is unauthorized access to Kubernetes resources, potentially allowing an attacker to read or modify data, expose secrets or deploy malicious workloads. This directly violates the principle of least privilege and introduces a serious privilege‑escalation vector.

Affected Systems

Portainer users running the Community and Enterprise editions are affected. The vulnerability exists in all releases from version 2.33.0 up through 2.33.7 (and any patch series that includes these missing return statements). Both CE and EE codebases share the defect, so any deployment of Portainer older than 2.33.8 is vulnerable regardless of the edition.

Risk and Exploitability

The CVSS score of 8.1 classifies this flaw as high severity. Because the EPSS score is not available and the vulnerability is not yet listed in CISA's KEV catalog, the exploitation probability is uncertain, but the need for a valid Portainer session suggests a moderate attack complexity. The flaw allows bypassing Kubernetes access controls for users who normally cannot reach certain endpoints, which means an attacker can elevate privileges within the cluster and potentially gain full control over cluster resources. The attack vector is an authenticated session to Portainer, followed by a request to a Kubernetes endpoint that the user normally lacks permission to access.

Generated by OpenCVE AI on May 28, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Portainer to version 2.33.8 or newer to apply the fix that adds the missing return statement.
  • Re‑evaluate Kubernetes access permissions so that only authorized users can request protected endpoints; configure role‑based access control accordingly.
  • Enforce least‑privilege policies for Portainer token creation, ensuring that users cannot request wider Kubernetes scopes than required.

Generated by OpenCVE AI on May 28, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mgq6-4x29-88r3 Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization
History

Sat, 30 May 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Portainer
Portainer portainer
Vendors & Products Portainer
Portainer portainer

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer (kubeClientMiddleware) that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missing a return statement — execution continued into the handler with a nil tokenData value. The Kubernetes endpoints sit behind Portainer's outer AuthenticatedAccess bouncer, so an attacker requires a valid Portainer session. However, a user whose secondary token validation fails in kubeClientMiddleware — for example a user without permission to access a given Kubernetes endpoint — would have their request forwarded to the cluster anyway, bypassing the authorization check. The same defect was present in both the CE and EE codebases. This vulnerability is fixed in 2.33.8.
Title Portainer: Kubernetes middleware continues after token validation failure, bypassing endpoint authorization
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Portainer Portainer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T02:20:47.586Z

Reserved: 2026-05-07T21:50:33.544Z

Link: CVE-2026-44882

cve-icon Vulnrichment

Updated: 2026-05-30T02:20:42.651Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T22:16:59.380

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-44882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:30:28Z

Weaknesses