Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer's authentication middleware accepts JWT bearer tokens passed as the ?token=<JWT> URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers on outbound navigation, so any JWT passed this way can be harvested by anyone with access to those logs or by an external site the user subsequently visits. A leaked token grants the full privileges of the user it was issued to, until the token expires (default 8 hours, configurable). The ?token= parameter was used by Portainer's browser-based container attach, exec, and pod shell features, so any user with exec or attach rights on a container was exposed — not only administrators. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.
Published: 2026-05-28
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Portainer’s authentication middleware allowed JWT bearer tokens to be supplied as a ?token=<JWT> URL query parameter on any authenticated API endpoint in addition to the standard Authorization header. The vulnerability caused the token to be logged in reverse‑proxy access logs, stored in browser history, and transmitted in HTTP Referer headers. A leaked token grants the full privileges of the account that issued it until expiry, which defaults to eight hours. This issue could thus enable unauthorized users to acquire administrative or container‑execution rights without compromising the underlying system credentials.

Affected Systems

The vulnerability affects Portainer Community Edition versions 2.33.0 through 2.33.7, as well as any 2.39.x version prior to 2.39.2 and any 2.41.x version prior to 2.41.0. An attacker can exploit affected instances via any authenticated API endpoint that accepts the ?token= query parameter. Containers, pods, and services that a user can attach to or execute commands on are at risk because the query parameter is used by these features.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity vulnerability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, so the probability of exploitation remains uncertain. Based on the description, it is inferred that an attacker must have access to reverse‑proxy access logs, browser history, or be able to observe outbound HTTP Referer headers to capture the leaked token. If such access is obtained, the attacker can reuse the token to impersonate the issuer until the token expires. The exploit path involves appending a ?token= query string with a valid bearer token to a request to an authenticated API endpoint; the resulting log entry or referer header can be harvested and replayed.

Generated by OpenCVE AI on May 29, 2026 at 00:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Portainer to version 2.33.8, 2.39.2, or 2.41.0 or later, where the query‑string token processing has been removed.
  • Ensure that reverse‑proxy access logs, browser histories, and analytic tools are configured to filter or redact sensitive URL parameters, particularly the "token" query string.
  • Disable or restrict the execution and attachment features for non‑administrative users, or enforce role‑based access controls to eliminate the need for token usage in those paths.

Generated by OpenCVE AI on May 29, 2026 at 00:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jvp4-q659-95mj Portainer: JWT accepted in URL query leaks tokens to logs and referers
History

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Portainer
Portainer portainer
Vendors & Products Portainer
Portainer portainer

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer's authentication middleware accepts JWT bearer tokens passed as the ?token=<JWT> URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers on outbound navigation, so any JWT passed this way can be harvested by anyone with access to those logs or by an external site the user subsequently visits. A leaked token grants the full privileges of the user it was issued to, until the token expires (default 8 hours, configurable). The ?token= parameter was used by Portainer's browser-based container attach, exec, and pod shell features, so any user with exec or attach rights on a container was exposed — not only administrators. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.
Title Portainer: JWT accepted in URL query leaks tokens to logs and referers
Weaknesses CWE-598
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Portainer Portainer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T20:59:52.463Z

Reserved: 2026-05-07T21:50:33.544Z

Link: CVE-2026-44883

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T22:16:59.537

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-44883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T00:30:25Z

Weaknesses