CVE-2026-44849

Source
https://cve.org/CVERecord?id=CVE-2026-44849
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44849.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44849
Aliases
Published
2026-05-28T21:06:05.256Z
Modified
2026-07-08T08:09:37.084996765Z
Severity
  • 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Portainer: Endpoint security bypass via Swarm service create/update
Details

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts. These restrictions are enforced on the standard container creation path, but several of them are not applied on the Docker Swarm service API. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44849.json",
    "cwe_ids": [
        "CWE-862"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/portainer/portainer

Affected ranges

Type
GIT
Repo
https://github.com/portainer/portainer
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*",
        "cpe:2.3:a:portainer:portainer:2.40.0:*:*:*:community:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "2.33.0"
        },
        {
            "fixed": "2.33.8"
        },
        {
            "introduced": "2.34.0"
        },
        {
            "fixed": "2.39.1"
        },
        {
            "introduced": "2.40.0"
        },
        {
            "last_affected": "2.40.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

2.*
2.40.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44849.json"