CVE-2026-44884

6.5 MEDIUM

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, ...

Published: 2026-05-28 · Last updated: 2026-06-01

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-862

Affected products

Vendor	Product
portainer	portainer

Description

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44884
[Exploit reference]https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc

Related CVEs

Same vendor

CVE-2026-44885 — Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, ... (5.5 MEDIUM)
CVE-2026-44883 — Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, ... (7.5 HIGH)
CVE-2026-44882 — Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, ... (8.1 HIGH)
CVE-2026-44881 — Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, ... (9.9 CRITICAL)
CVE-2026-44850 — Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, ... (8.5 HIGH)

Same CWE

CVE-2026-46645 — SQLAdmin is a flexible Admin interface for SQLAlchemy models (4.3 MEDIUM)
CVE-2026-53634 — Sharp is a content management framework built for Laravel as a package (4.3 MEDIUM)
CVE-2026-0272 — A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Comm...
CVE-2026-49822 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)
CVE-2026-49821 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)