Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, Portainer's backup restore feature accepts a .tar.gz archive and extracts it to a target directory on the server. The extraction function (ExtractTarGz in api/archive/targz.go) constructed output paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)). This combination does not prevent directory traversal — a tar entry named ../../etc/cron.d/evil resolves to a path outside the extraction root, so a crafted archive can write files to arbitrary locations on the server filesystem. This vulnerability is fixed in 2.33.8.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Portainer Community Edition versions 2.33.0 through 2.33.7 contain a path traversal flaw in the backup restore feature. The extraction routine builds paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)), which does not exclude traversal sequences. An attacker who can supply a crafted .tar.gz archive, for example with an entry named ../../etc/cron.d/evil, will cause the service to write files outside the intended extraction directory on the host filesystem. This flaw permits arbitrary file creation or modification on the server, potentially allowing the attacker to replace configuration files, install cron jobs, or otherwise manipulate system state, leading to local privilege escalation or persistence.

Affected Systems

The affected vendor and product are Portainer Community Edition. Vulnerable versions are 2.33.0 until 2.33.7; the problem is addressed starting with version 2.33.8.

Risk and Exploitability

The CVSS score of 5.5 categorizes the severity as moderate. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated or accessible Portainer instance where an attacker can submit a malicious backup archive via the web interface. Successful exploitation would allow arbitrary file writes on the host, which could be used for persistence or privilege escalation.

Generated by OpenCVE AI on May 29, 2026 at 00:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Portainer to version 2.33.8 or later.
  • If an upgrade cannot be performed immediately, restrict or disable access to the backup restore endpoint to trusted users only.
  • Configure the Portainer service to run under a non‑privileged user to limit write permissions to critical host directories.

Generated by OpenCVE AI on May 29, 2026 at 00:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m8fg-67j7-cx4v Portainer has a path traversal in backup archive extraction that allows arbitrary file write
History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Portainer
Portainer portainer
Vendors & Products Portainer
Portainer portainer

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, Portainer's backup restore feature accepts a .tar.gz archive and extracts it to a target directory on the server. The extraction function (ExtractTarGz in api/archive/targz.go) constructed output paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)). This combination does not prevent directory traversal — a tar entry named ../../etc/cron.d/evil resolves to a path outside the extraction root, so a crafted archive can write files to arbitrary locations on the server filesystem. This vulnerability is fixed in 2.33.8.
Title Portainer: Path traversal in backup archive extraction allows arbitrary file write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Portainer Portainer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:11:01.372Z

Reserved: 2026-05-07T21:50:33.544Z

Link: CVE-2026-44885

cve-icon Vulnrichment

Updated: 2026-05-29T19:10:57.054Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T22:16:59.803

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-44885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T00:30:25Z

Weaknesses