CVE-2026-33590
Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level cod...
Published: 2026-05-28 · Last updated: 2026-05-29
Severity and scoring
- CWE
- CWE-276
Description
Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent access on the host.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-33590
- [Other]https://github.com/portainer/portainer/commit/3e2fdb1891e81a8e4c5c8beb60e45f07c8ecae52
- [Other]https://github.com/portainer/portainer/commit/ac8fa7672e732b44b970c9eaf928eddd2c68796c
- [Other]https://intwave.com/blog/2026/02/26/improving-portainer-security.html
Related CVEs
Same CWE
- CVE-2026-49157 — Incorrect Default Permissions vulnerability in Apache ActiveMQ (8.8 HIGH)
- CVE-2026-48191 — An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules... (3.5 LOW)
- CVE-2026-48190 — An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query ... (3.5 LOW)
- CVE-2026-49237 — An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199 (7.8 HIGH)
- CVE-2026-44469 — The affected product extracts installation files to a temporary directory with incorrect default permissions during administrative instal... (7.8 HIGH)