HarborGuard / CVE
Back to search
HIGHCVE-2026-44882Published Modified CNA GitHub_M

CVE-2026-44882: Portainer: Kubernetes middleware continues after token validation failure, bypassing endpoint authorization

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer (kubeClientMiddleware) that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missing a return statement — execution continued into the handler with a nil tokenData value. The Kubernetes endpoints sit behind Portainer's outer AuthenticatedAccess bouncer, so an attacker requires a valid Portainer session. However, a user whose secondary token validation fails in kubeClientMiddleware — for example a user without permission to access a given Kubernetes endpoint — would have their request forwarded to the cluster anyway, bypassing the authorization check. The same defect was present in both the CE and EE codebases. This vulnerability is fixed in 2.33.8.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authorization bypass vulnerability exists in Portainer (Community Edition and Enterprise Edition) versions 2.33.0 through 2.33.7, caused by a missing return statement in the Kubernetes middleware layer (kubeClientMiddleware). After token validation fails, the middleware writes a 403 response but continues executing, forwarding the request to the Kubernetes cluster with a nil token value instead of halting. A logged-in user who lacks permission to access a specific Kubernetes endpoint can exploit this to reach that endpoint anyway, reading cluster data or modifying Kubernetes resources they should be blocked from. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix version is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-44882 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Portainer, in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and is capable of weighting that score against each customer environment's compliance policy to surface the finding in the appropriate team inbox, prioritizing it alongside other high-severity authorization issues.

Available
Patch

No fix version has been published for this CVE yet. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available, with auto-remediation customers receiving a rebuilt image, a regression-test run, and a PR opened against affected workloads, the moment an upstream fix is released.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Portainer service over the network, as the vulnerability is exposed via Portainer's HTTP API endpoints.

  • AuthenticationRequired

    A valid Portainer session is required; any low-privilege account with a session token is sufficient to trigger the bypass.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends requests directly to the Portainer API without involving another user.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable, requiring no race condition or special environmental setup beyond holding a valid Portainer session.

Blast Radius

  • An attacker reads Kubernetes cluster data, such as pod specs, secrets, config maps, and service account tokens, from endpoints they are not authorized to access.
  • An attacker modifies Kubernetes resources, such as deployments, roles, or configurations, across endpoints their Portainer permissions should block.
  • The bypass is scoped to Kubernetes endpoints behind the flawed middleware, so direct access to Docker or Swarm environments managed by the same Portainer instance is not affected by this specific defect.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44882 is active across scanning pipelines and will flag any image found to include an affected Portainer build (2.33.0 through 2.33.7). Because no upstream fix version has been published, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix is released. For customers with auto-remediation enabled, that rebuild triggers a regression-test run and a PR against affected workloads with no manual steps required. In the interim, compensating controls worth considering include network-policy rules that restrict which users or service accounts can reach Portainer's Kubernetes proxy endpoints, egress filtering at the cluster boundary to limit what a forwarded request can do, and audit-log review of Kubernetes API activity for requests originating from Portainer with unexpected privilege levels.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • portainer / portainer
    >= 2.33.0, < 2.33.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References