{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44883/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Portainer (\u003e= 2.33.0, \u003c 2.33.8)","Portainer (\u003e= 2.39.0, \u003c 2.39.2)","Portainer (\u003e= 2.40.0, \u003c 2.41.0)"],"_cs_severities":["high"],"_cs_tags":["jwt","token-leak","credential-access","CVE-2026-44883","portainer"],"_cs_type":"advisory","_cs_vendors":["Portainer"],"content_html":"\u003cp\u003ePortainer is vulnerable to JWT leakage due to accepting tokens via the \u003ccode\u003e?token=\u0026lt;JWT\u0026gt;\u003c/code\u003e URL query parameter. This vulnerability, present since the introduction of JWT authentication, allows the JWT to be exposed in reverse proxy logs, browser history, and HTTP Referer headers. The \u003ccode\u003e?token=\u003c/code\u003e parameter was used by Portainer\u0026rsquo;s browser-based container attach, exec, and pod shell features, impacting any user with exec or attach rights. The issue was reported on 2026-03-06, and fixed in versions 2.33.8, 2.39.2, and 2.41.0. Exploitation requires an attacker to obtain a leaked token, but once obtained, it grants the privileges of the user it was issued to, including administrative access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user authenticates to Portainer, receiving a JWT.\u003c/li\u003e\n\u003cli\u003eThe user initiates a container attach, exec, or pod shell operation, triggering a request to Portainer that includes the JWT as a \u003ccode\u003e?token=\u003c/code\u003e query parameter.\u003c/li\u003e\n\u003cli\u003eThe request is processed by Portainer\u0026rsquo;s authentication middleware, which accepts the JWT from the query parameter.\u003c/li\u003e\n\u003cli\u003eThe request, including the JWT in the URL, is logged by a reverse proxy or other network monitoring tool.\u003c/li\u003e\n\u003cli\u003eAlternatively, the user navigates to an external site from within the Portainer UI, causing the JWT to be sent in the Referer header.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the logs or intercepts the Referer header, obtaining the leaked JWT.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the leaked JWT to authenticate to the Portainer API, impersonating the original user.\u003c/li\u003e\n\u003cli\u003eIf the compromised token belongs to an administrator, the attacker gains full API access, including user management, container exec, and stack deployment, potentially compromising the host filesystem of managed environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to significant data breaches and system compromise. Leaked tokens can be captured by intermediate systems like reverse proxies, exposing the full JWT in plaintext. URLs containing \u003ccode\u003e?token=\u003c/code\u003e are recorded in browser history and forwarded in the \u003ccode\u003eReferer\u003c/code\u003e header. An attacker with a leaked JWT can act as the authenticated user for the remainder of the token\u0026rsquo;s validity, gaining full API access, including user management, container exec, and stack deployment. If the leaked token belongs to an administrator, the attacker gains full control over Portainer and its managed environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Portainer to version 2.33.8, 2.39.2, or 2.41.0 or later to remediate the vulnerability as outlined in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement reverse proxy rules to strip the \u003ccode\u003e?token=\u003c/code\u003e parameter from requests before they reach Portainer, as mentioned in the workarounds, but be aware this breaks container attach/exec until Portainer is patched.\u003c/li\u003e\n\u003cli\u003eAudit existing logs for occurrences of \u003ccode\u003e?token=\u003c/code\u003e or \u003ccode\u003e\u0026amp;token=\u003c/code\u003e as mentioned in the workarounds, and treat any captured JWT as compromised by resetting affected user passwords.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Portainer JWT Parameter in Web Logs\u0026rdquo; to identify potential token leaks in web server logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Portainer API Access Using Leaked JWT\u0026rdquo; to identify API access attempts using leaked JWTs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:37:50Z","date_published":"2026-05-14T16:37:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-portainer-jwt-leak/","summary":"Portainer's authentication middleware accepts JWT bearer tokens passed as the `?token=\u003cJWT\u003e` URL query parameter on any authenticated API endpoint, leading to JWT leakage to logs and referrers, where a leaked token grants the full privileges of the user it was issued to, until the token expires.","title":"Portainer JWT Leak via URL Query Parameter","url":"https://feed.craftedsignal.io/briefs/2026-05-portainer-jwt-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44883","version":"https://jsonfeed.org/version/1.1"}