Attack Chain

1. An attacker creates a Git repository with a docker-compose.yml file configured as a symbolic link to a sensitive file (e.g., /etc/passwd).
2. The attacker uses the Portainer API or web interface to create a new stack, specifying the attacker-controlled Git repository as the source.
3. Portainer clones the Git repository using go-git, which creates the symlink on the filesystem.
4. An authenticated user (admin or non-admin, depending on configuration) triggers the file read by accessing the stack through Portainer’s GET /api/stacks/{id}/file endpoint.
5. Portainer reads the docker-compose.yml file, which resolves to the attacker-specified target file due to the presence of the symlink.
6. The contents of the sensitive file are returned in the HTTP response to the user who initiated the request.
7. If auto-update is enabled, an attacker can push a malicious commit to an existing legitimate repository to replace the docker-compose.yml file with a symbolic link.
8. The file read is then triggered on the next scheduled update cycle with no further interaction required, leaking sensitive data without further user action.

Impact

Successful exploitation of this vulnerability allows an attacker to read arbitrary files accessible to the Portainer process, typically running as root in containerized deployments. This includes sensitive files such as /etc/shadow, /root/.ssh/*, /proc/self/environ, and the Portainer BoltDB (portainer.db) containing user password hashes, API tokens, and agent credentials. In Kubernetes environments, the attacker can read the cluster service account token mounted at /var/run/secrets/kubernetes.io/serviceaccount/token, granting the attacker the Portainer pod’s cluster API access. Similarly, Docker Swarm secrets mounted into the Portainer container at /run/secrets/ can be exposed. These leaked credentials can lead to onward compromise of managed Docker/Kubernetes environments, container registries, and Portainer itself.

Recommendation

• Upgrade to Portainer version 2.33.8, 2.39.2, or 2.41.0, where the vulnerability is fixed.
• Disable Allow non-admin users to manage their stacks in environment settings to restrict stack creation to administrators, reducing the attack surface.
• Carefully review and avoid deploying Git-backed stacks from untrusted repositories.
• Disable auto-update on existing stacks to prevent deferred exploitation.
• Deploy the Sigma rule Detect Portainer Stack File Access to Sensitive Paths to identify requests accessing sensitive files through the stack file endpoint.
• Audit existing stack working directories for unexpected symlink entries under /data/compose/ (or your configured data directory) using find /data/compose -type l.
• Patch CVE-2026-44881 across all Portainer instances.