Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations — including installing and enabling plugins — directly against the underlying Docker daemon. The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.
References
| Link | Resource |
|---|---|
| https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4 | Exploit Third Party Advisory |
| https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4 | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
01 Jun 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4 - Exploit, Third Party Advisory |
01 Jun 2026, 17:58
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
| References | () https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4 - Exploit, Third Party Advisory | |
| CPE | cpe:2.3:a:portainer:portainer:2.40.0:*:*:*:community:*:*:* cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:* |
|
| First Time |
Portainer
Portainer portainer |
28 May 2026, 22:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-28 22:16
Updated : 2026-06-01 21:16
NVD link : CVE-2026-44848
Mitre link : CVE-2026-44848
CVE.ORG link : CVE-2026-44848
JSON object : View
Products Affected
portainer
- portainer
CWE
CWE-862
Missing Authorization