Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1.
Published: 2026-05-28
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves a missing authorization check on the Custom Template file endpoint (GET /api/custom_templates/{id}/file). Because any authenticated user can enumerate template IDs, the endpoint allows reading the file content of any custom template, bypassing the intended Resource Control restrictions. The exposed data may include environment‑specific values such as connection strings, API tokens, or registry credentials that administrators do not expect ordinary users to view. This flaw corresponds to CWE-862 (Missing Authorization).

Affected Systems

Portainer Community Edition is affected. Versions from 2.33.0 up to, but not including, 2.33.8, as well as 2.39.1, contain the flaw. The issue is resolved in releases 2.33.8 and 2.39.1. The product is used to manage Docker, Swarm, Kubernetes, and ACI environments.

Risk and Exploitability

The CVSS score of 6.0 classifies the vulnerability as Medium severity. EPSS information is not available, so the estimated exploitation probability cannot be quantified. The flaw does not appear in the CISA KEV catalog. An attacker requires authentication but does not need elevated privileges beyond a normal user role, and can exploit the vulnerability by sending HTTP GET requests to sequential numeric identifiers. Successful exploitation leads to disclosure of sensitive configuration data. While it does not allow arbitrary code execution, the leakage of credentials can compromise the entire stack.

Generated by OpenCVE AI on May 28, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Portainer to version 2.33.8 or later (including 2.39.1) to apply the authority fix.
  • Re‑evaluate user roles and restrict the ability to create or view custom templates to trusted administrators only.
  • If immediate upgrade is not possible, block or rate‑limit access to the /api/custom_templates/*/file endpoint for non‑administrator accounts via firewall or reverse proxy rules.

Generated by OpenCVE AI on May 28, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cqpq-2fgr-8mvc Portainer missing authorization on custom template file endpoint, which exposes template content
History

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Portainer
Portainer portainer
Vendors & Products Portainer
Portainer portainer

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1.
Title Portainer: Missing authorization on custom template file endpoint exposes template content
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Portainer Portainer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T13:55:35.420Z

Reserved: 2026-05-07T21:50:33.544Z

Link: CVE-2026-44884

cve-icon Vulnrichment

Updated: 2026-05-29T13:55:32.510Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T22:16:59.677

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-44884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T23:00:16Z

Weaknesses