{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44848/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Portainer (\u003e= 2.33.0, \u003c 2.33.8)","Portainer (\u003e= 2.39.0, \u003c 2.39.2)","Portainer (\u003e= 2.40.0, \u003c 2.41.0)","Docker"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","execution","CVE-2026-44848"],"_cs_type":"advisory","_cs_vendors":["Portainer"],"content_html":"\u003cp\u003ePortainer, a web-based management UI for Docker, has a critical missing authorization vulnerability (CVE-2026-44848) affecting versions 2.33.0-2.33.7, 2.39.0-2.39.1, and 2.40.0. This flaw allows a standard (non-admin) user with access to a Docker endpoint to bypass Role-Based Access Control (RBAC) and directly interact with the Docker daemon\u0026rsquo;s plugin management endpoints.  Specifically, the \u003ccode\u003e/plugins/*\u003c/code\u003e endpoints were not properly registered with an authorization handler. This oversight enables a malicious user to install, enable, and execute arbitrary Docker plugins, gaining root-level privileges on the underlying Docker host. This vulnerability was reported on 2026-03-16 and patched in subsequent releases, highlighting the importance of timely updates for Portainer deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA non-admin user authenticates to Portainer with access to a Docker endpoint.\u003c/li\u003e\n\u003cli\u003eThe user crafts a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/plugins/pull\u003c/code\u003e endpoint, specifying a malicious Docker plugin from a public or private registry.\u003c/li\u003e\n\u003cli\u003ePortainer forwards the request to the Docker daemon without proper authorization checks, bypassing RBAC.\u003c/li\u003e\n\u003cli\u003eDocker pulls the specified plugin image from the registry.\u003c/li\u003e\n\u003cli\u003eThe user crafts a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/plugins/{name}/enable\u003c/code\u003e endpoint to enable the pulled plugin.\u003c/li\u003e\n\u003cli\u003eAgain, Portainer forwards the request to the Docker daemon without authorization.\u003c/li\u003e\n\u003cli\u003eDocker enables the plugin, granting it requested privileges such as \u003ccode\u003eCAP_SYS_ADMIN\u003c/code\u003e and host-path mounts.\u003c/li\u003e\n\u003cli\u003eThe malicious Docker plugin executes with root privileges on the Docker host, allowing the user to read and modify files, effectively gaining complete control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an attacker with limited Portainer privileges to achieve root-level access on the Docker host. The attacker can then read and modify sensitive data, install malware, or disrupt services. Given the widespread use of Portainer in managing Docker environments, a successful exploit could lead to significant data breaches, system compromise, and operational disruption.  Organizations using vulnerable Portainer versions are at high risk and should apply the provided patches or workarounds immediately.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade Portainer:\u003c/strong\u003e Immediately upgrade to the latest version of your supported branch (2.33.8, 2.39.2, or 2.41.0) to address the vulnerability as indicated in the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApply Workaround:\u003c/strong\u003e As an interim measure, revoke Docker endpoint access for non-admin users via Portainer RBAC until the patched release is deployed as suggested in the \u0026ldquo;Workarounds\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Docker API Access:\u003c/strong\u003e Implement network monitoring to detect unauthorized access to the Docker API, focusing on \u003ccode\u003e/plugins/*\u003c/code\u003e endpoints, to catch potential exploit attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:29:27Z","date_published":"2026-05-14T16:29:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-portainer-rce/","summary":"Portainer versions 2.33.0 through 2.33.7, 2.39.0 through 2.39.1, and 2.40.0 expose a missing authorization vulnerability (CVE-2026-44848) on the Docker plugin management endpoints, allowing a non-admin user with access to a Docker endpoint to install and enable arbitrary Docker plugins from any registry, ultimately leading to root privileges on the Docker host and unauthorized file system access.","title":"Portainer Missing Authorization on Docker Plugin Endpoints Leads to Host RCE (CVE-2026-44848)","url":"https://feed.craftedsignal.io/briefs/2026-05-portainer-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44848","version":"https://jsonfeed.org/version/1.1"}