{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44850/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Portainer (\u003e= 2.33.0, \u003c 2.33.8)","Portainer (\u003e= 2.39.0, \u003c 2.39.2)","Portainer (\u003e= 2.40.0, \u003c 2.41.0)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","vulnerability","container","CVE-2026-44850"],"_cs_type":"advisory","_cs_vendors":["Portainer"],"content_html":"\u003cp\u003ePortainer, a container management platform, contains a vulnerability (CVE-2026-44850) where the \u0026ldquo;Disable bind mounts for non-administrators\u0026rdquo; security setting can be bypassed. This setting aims to prevent regular users from binding host paths into containers they create through the Portainer-mediated Docker API. However, the check only inspected the \u003ccode\u003eHostConfig.Binds\u003c/code\u003e array and not the equivalent \u003ccode\u003eHostConfig.Mounts\u003c/code\u003e array. An authenticated user with container-create rights on an environment where the restriction is enabled could exploit this vulnerability and mount any host path into their container by submitting a \u003ccode\u003ebind\u003c/code\u003e-typed entry under \u003ccode\u003eHostConfig.Mounts\u003c/code\u003e. This bypass can be exploited to gain unauthorized access to the Docker host\u0026rsquo;s filesystem, compromising the entire system. Fixes were released in versions 2.33.8, 2.39.2, and 2.41.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to Portainer as a regular user with container-create rights.\u003c/li\u003e\n\u003cli\u003eThe targeted Portainer environment has the \u0026ldquo;Disable bind mounts for non-administrators\u0026rdquo; security setting enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePOST /containers/create\u003c/code\u003e request to the Docker API through the Portainer proxy.\u003c/li\u003e\n\u003cli\u003eIn the request body, the attacker includes a \u003ccode\u003eHostConfig.Mounts\u003c/code\u003e array with a \u003ccode\u003ebind\u003c/code\u003e-typed entry. This entry specifies the host path to be mounted into the container.\u003c/li\u003e\n\u003cli\u003eThe Portainer proxy, which only checks \u003ccode\u003eHostConfig.Binds\u003c/code\u003e, fails to detect the malicious bind mount configuration in \u003ccode\u003eHostConfig.Mounts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Docker daemon creates the container with the specified bind mount, granting the attacker\u0026rsquo;s container access to the host filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands within the container to read or write to the mounted host path, potentially accessing sensitive data or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the host system, other containers, or achieves persistence by writing to authorized_keys or systemd units.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a regular user to bypass bind mount restrictions and gain unauthorized access to the Docker host filesystem. This can lead to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eReading or writing any path on the Docker host filesystem, including sensitive files like \u003ccode\u003e/etc/shadow\u003c/code\u003e or SSH keys under \u003ccode\u003e/root/.ssh\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCompromising other containers on the same host by accessing their layers, volumes, and live state within \u003ccode\u003e/var/lib/docker\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGaining full Docker API access by mounting \u003ccode\u003e/var/run/docker.sock\u003c/code\u003e into the container.\u003c/li\u003e\n\u003cli\u003eWriting persistence to the host by dropping SSH keys into \u003ccode\u003eauthorized_keys\u003c/code\u003e or installing systemd units.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis vulnerability affects installations where the bind-mount restriction was relied upon as the primary defense against host exposure, particularly in shared environments with non-administrator container creators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Portainer to versions 2.33.8, 2.39.2, or 2.41.0 or later to patch CVE-2026-44850.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Portainer HostConfig Mounts Bind Type (CVE-2026-44850)\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring container creation events.\u003c/li\u003e\n\u003cli\u003eAudit recent container creations for \u003ccode\u003eHostConfig.Mounts\u003c/code\u003e of \u003ccode\u003eType: bind\u003c/code\u003e from non-admin Portainer users as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eRevoke container-create rights from non-administrator accounts on affected environments until the patched release is deployed as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:30:41Z","date_published":"2026-05-14T16:30:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-portainer-bind-mount-bypass/","summary":"Portainer versions 2.33.0 through 2.33.7, 2.39.0 through 2.39.1, and 2.40.0 through 2.40.9 are vulnerable to CVE-2026-44850, a bind-mount restriction bypass via the `HostConfig.Mounts` array allowing regular users to mount host paths into containers and potentially compromise the host filesystem.","title":"Portainer Bind Mount Restriction Bypass via HostConfig.Mounts (CVE-2026-44850)","url":"https://feed.craftedsignal.io/briefs/2026-05-portainer-bind-mount-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44850","version":"https://jsonfeed.org/version/1.1"}