HarborGuard / CVE
Back to search
HIGHCVE-2026-33590Published Modified CNA ENISA

CVE-2026-33590: Insecure default permissions in Portainer CE

Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent access on the host.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An insecure default permissions vulnerability in Portainer Community Edition allows a regular, non-administrative authenticated user to escape the container boundary and access the underlying host. The flaw is reachable over the network and requires only a low-privilege account with endpoint access, derived from the CVSS vector (AV:N, PR:L). Successful exploitation gives an attacker read access to host filesystem files and root-equivalent code execution on the host. Patched-image rebuilds at versions 2.38.0 and 2.39.0 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built Portainer CE images. Any image running a Portainer CE version below 2.38.0 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.5 (High) and surfaces it with the full v4.0 vector for reviewer context. Per-environment compliance policy weighting and team-routing rules direct the alert to the appropriate inbox inside each customer organization without manual triage steps.

Available
Patch

A patched-image rebuild at Portainer CE 2.38.0 or 2.39.0 is available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Portainer CE service over the network; no local or physical access to the host is required to initiate the exploit.

  • AuthenticationRequired

    A valid low-privilege account with endpoint access is sufficient; no administrative credentials are needed.

  • Victim interactionRequired

    The exploit path requires a user action (UI:P), meaning some degree of interaction from another party is needed to complete the attack chain.

  • Attack complexityDetail

    Attack complexity is Low (AC:L) with no special timing or environmental conditions required, making the exploit reliable and repeatable.

Blast Radius

  • A successful attacker reads arbitrary files from the host filesystem, including secrets, credentials, and configuration files outside any container boundary.
  • The attacker executes arbitrary code at root-equivalent privilege on the underlying host, gaining full control of the node.
  • Because system-level scope is marked High (SC:H, SI:H, SA:H), resources beyond the Portainer container itself are affected, including other workloads sharing the host.
  • The attacker can modify persisted host-level data or crash host services, disrupting all containers running on the same node.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-33590 is active for all customer environments scanning Portainer CE images, with matches surfaced within minutes of the advisory publication. Fix versions 2.38.0 and 2.39.0 are the remediation targets; a rebuilt image at those versions is available for any environment where the scan identifies an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the patched version, executes a regression run against the new image, and opens a pull request against affected workloads. Where compliance policy permits, the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes. Customers not using auto-remediation can review the flagged findings in the HarborGuard dashboard and initiate a manual rebuild targeting 2.38.0 or 2.39.0. Given the high blast radius of this vulnerability (host filesystem access and root-level code execution), prioritizing this fix ahead of lower-severity queue items is warranted for any environment running Portainer CE in a multi-tenant or production context.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
2.38.0
Affected Products
1

Fix available

2.38.02.39.0
Affected packages
  • Portainer / Portainer Community Edition
    < 2.39.0 (from 0) · < 2.38.0 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
References