{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44881/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Portainer CE","Portainer"],"_cs_severities":["high"],"_cs_tags":["git","symlink","file-read","portainer","cve-2026-44881","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Portainer"],"content_html":"\u003cp\u003ePortainer is susceptible to an arbitrary file read vulnerability (CVE-2026-44881) stemming from Git symlink injection during stack deployment from Git repositories. An attacker with the ability to create or update Git-backed stacks can exploit this flaw. The vulnerability arises because Portainer uses \u003ccode\u003ego-git\u003c/code\u003e v5 to clone Git repositories, which translates Git symlink entries into OS symlinks without proper validation, except for \u003ccode\u003e.gitmodules\u003c/code\u003e. By crafting a repository containing a \u003ccode\u003edocker-compose.yml\u003c/code\u003e file that is a symbolic link to a sensitive file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, Kubernetes service account token), an attacker can trick Portainer into reading and disclosing the contents of the linked file via the \u003ccode\u003eGET /api/stacks/{id}/file\u003c/code\u003e endpoint. Git-stack auto-update amplifies the issue by allowing deferred exploitation through a malicious commit that replaces \u003ccode\u003edocker-compose.yml\u003c/code\u003e with a symlink. This vulnerability affects Portainer releases from the introduction of Git-based stack deployment until the fixes in versions 2.33.8, 2.39.2, and 2.41.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker creates a Git repository with a \u003ccode\u003edocker-compose.yml\u003c/code\u003e file configured as a symbolic link to a sensitive file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Portainer API or web interface to create a new stack, specifying the attacker-controlled Git repository as the source.\u003c/li\u003e\n\u003cli\u003ePortainer clones the Git repository using \u003ccode\u003ego-git\u003c/code\u003e, which creates the symlink on the filesystem.\u003c/li\u003e\n\u003cli\u003eAn authenticated user (admin or non-admin, depending on configuration) triggers the file read by accessing the stack through Portainer\u0026rsquo;s \u003ccode\u003eGET /api/stacks/{id}/file\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003ePortainer reads the \u003ccode\u003edocker-compose.yml\u003c/code\u003e file, which resolves to the attacker-specified target file due to the presence of the symlink.\u003c/li\u003e\n\u003cli\u003eThe contents of the sensitive file are returned in the HTTP response to the user who initiated the request.\u003c/li\u003e\n\u003cli\u003eIf auto-update is enabled, an attacker can push a malicious commit to an existing legitimate repository to replace the \u003ccode\u003edocker-compose.yml\u003c/code\u003e file with a symbolic link.\u003c/li\u003e\n\u003cli\u003eThe file read is then triggered on the next scheduled update cycle with no further interaction required, leaking sensitive data without further user action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files accessible to the Portainer process, typically running as root in containerized deployments. This includes sensitive files such as \u003ccode\u003e/etc/shadow\u003c/code\u003e, \u003ccode\u003e/root/.ssh/*\u003c/code\u003e, \u003ccode\u003e/proc/self/environ\u003c/code\u003e, and the Portainer BoltDB (\u003ccode\u003eportainer.db\u003c/code\u003e) containing user password hashes, API tokens, and agent credentials. In Kubernetes environments, the attacker can read the cluster service account token mounted at \u003ccode\u003e/var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e, granting the attacker the Portainer pod\u0026rsquo;s cluster API access. Similarly, Docker Swarm secrets mounted into the Portainer container at \u003ccode\u003e/run/secrets/\u003c/code\u003e can be exposed. These leaked credentials can lead to onward compromise of managed Docker/Kubernetes environments, container registries, and Portainer itself.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Portainer version 2.33.8, 2.39.2, or 2.41.0, where the vulnerability is fixed.\u003c/li\u003e\n\u003cli\u003eDisable \u003cstrong\u003eAllow non-admin users to manage their stacks\u003c/strong\u003e in environment settings to restrict stack creation to administrators, reducing the attack surface.\u003c/li\u003e\n\u003cli\u003eCarefully review and avoid deploying Git-backed stacks from untrusted repositories.\u003c/li\u003e\n\u003cli\u003eDisable auto-update on existing stacks to prevent deferred exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Portainer Stack File Access to Sensitive Paths\u003c/code\u003e to identify requests accessing sensitive files through the stack file endpoint.\u003c/li\u003e\n\u003cli\u003eAudit existing stack working directories for unexpected symlink entries under \u003ccode\u003e/data/compose/\u003c/code\u003e (or your configured data directory) using \u003ccode\u003efind /data/compose -type l\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePatch CVE-2026-44881 across all Portainer instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:30:14Z","date_published":"2026-05-14T16:30:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-portainer-git-symlink-read/","summary":"Portainer is vulnerable to an arbitrary file read vulnerability due to Git symlink injection when deploying stacks from Git repositories, allowing authenticated users to read sensitive files accessible to the Portainer process.","title":"Portainer Arbitrary File Read via Git Symlink Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-portainer-git-symlink-read/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-44881","version":"https://jsonfeed.org/version/1.1"}