CVE-2026-44848 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-44848/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 14 May 2026 16:29:27 +0000Portainer Missing Authorization on Docker Plugin Endpoints Leads to Host RCE (CVE-2026-44848)https://feed.craftedsignal.io/briefs/2026-05-portainer-rce/Thu, 14 May 2026 16:29:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-portainer-rce/Portainer versions 2.33.0 through 2.33.7, 2.39.0 through 2.39.1, and 2.40.0 expose a missing authorization vulnerability (CVE-2026-44848) on the Docker plugin management endpoints, allowing a non-admin user with access to a Docker endpoint to install and enable arbitrary Docker plugins from any registry, ultimately leading to root privileges on the Docker host and unauthorized file system access.Portainer, a web-based management UI for Docker, has a critical missing authorization vulnerability (CVE-2026-44848) affecting versions 2.33.0-2.33.7, 2.39.0-2.39.1, and 2.40.0. This flaw allows a standard (non-admin) user with access to a Docker endpoint to bypass Role-Based Access Control (RBAC) and directly interact with the Docker daemon’s plugin management endpoints. Specifically, the /plugins/* endpoints were not properly registered with an authorization handler. This oversight enables a malicious user to install, enable, and execute arbitrary Docker plugins, gaining root-level privileges on the underlying Docker host. This vulnerability was reported on 2026-03-16 and patched in subsequent releases, highlighting the importance of timely updates for Portainer deployments.

Attack Chain

  1. A non-admin user authenticates to Portainer with access to a Docker endpoint.
  2. The user crafts a POST request to the /plugins/pull endpoint, specifying a malicious Docker plugin from a public or private registry.
  3. Portainer forwards the request to the Docker daemon without proper authorization checks, bypassing RBAC.
  4. Docker pulls the specified plugin image from the registry.
  5. The user crafts a POST request to the /plugins/{name}/enable endpoint to enable the pulled plugin.
  6. Again, Portainer forwards the request to the Docker daemon without authorization.
  7. Docker enables the plugin, granting it requested privileges such as CAP_SYS_ADMIN and host-path mounts.
  8. The malicious Docker plugin executes with root privileges on the Docker host, allowing the user to read and modify files, effectively gaining complete control of the system.

Impact

This vulnerability allows an attacker with limited Portainer privileges to achieve root-level access on the Docker host. The attacker can then read and modify sensitive data, install malware, or disrupt services. Given the widespread use of Portainer in managing Docker environments, a successful exploit could lead to significant data breaches, system compromise, and operational disruption. Organizations using vulnerable Portainer versions are at high risk and should apply the provided patches or workarounds immediately.

Recommendation

  • Upgrade Portainer: Immediately upgrade to the latest version of your supported branch (2.33.8, 2.39.2, or 2.41.0) to address the vulnerability as indicated in the advisory.
  • Apply Workaround: As an interim measure, revoke Docker endpoint access for non-admin users via Portainer RBAC until the patched release is deployed as suggested in the “Workarounds” section.
  • Monitor Docker API Access: Implement network monitoring to detect unauthorized access to the Docker API, focusing on /plugins/* endpoints, to catch potential exploit attempts.
]]>criticaladvisoryprivilege-escalationexecutionCVE-2026-44848