Vulnerability-Lookup

CVE-2026-44884 (GCVE-0-2026-44884)

Vulnerability from cvelistv5 – Published: 2026-05-28 20:58 – Updated: 2026-05-29 13:55

Title

Portainer: Missing authorization on custom template file endpoint exposes template content

Summary

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1.

Severity

6 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-862 - Missing Authorization

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/portainer/portainer/security/a…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
portainer	portainer	Affected: >= 2.33.0, < 2.33.8 Affected: >= 2.39.0, < 2.39.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44884",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T13:55:28.420055Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T13:55:35.420Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "portainer",
          "vendor": "portainer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.33.0, \u003c 2.33.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.39.0, \u003c 2.39.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T20:58:36.516Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc"
        }
      ],
      "source": {
        "advisory": "GHSA-cqpq-2fgr-8mvc",
        "discovery": "UNKNOWN"
      },
      "title": "Portainer: Missing authorization on custom template file endpoint exposes template content"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44884",
    "datePublished": "2026-05-28T20:58:36.516Z",
    "dateReserved": "2026-05-07T21:50:33.544Z",
    "dateUpdated": "2026-05-29T13:55:35.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44884",
      "date": "2026-06-03",
      "epss": "0.00032",
      "percentile": "0.09524"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44884\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-28T22:16:59.677\",\"lastModified\":\"2026-06-01T18:07:59.060\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"2.33.0\",\"versionEndExcluding\":\"2.33.8\",\"matchCriteriaId\":\"4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"2.39.0\",\"versionEndExcluding\":\"2.39.1\",\"matchCriteriaId\":\"69AF042A-AD6A-4580-9862-B9C1E54946DF\"}]}]}],\"references\":[{\"url\":\"https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44884\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-29T13:55:28.420055Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-29T13:55:32.510Z\"}}], \"cna\": {\"title\": \"Portainer: Missing authorization on custom template file endpoint exposes template content\", \"source\": {\"advisory\": \"GHSA-cqpq-2fgr-8mvc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"portainer\", \"product\": \"portainer\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.33.0, \u003c 2.33.8\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.39.0, \u003c 2.39.1\"}]}], \"references\": [{\"url\": \"https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc\", \"name\": \"https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-28T20:58:36.516Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44884\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-29T13:55:35.420Z\", \"dateReserved\": \"2026-05-07T21:50:33.544Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-28T20:58:36.516Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44884

Vulnerability from fkie_nvd - Published: 2026-05-28 22:16 - Updated: 2026-06-01 18:07

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	portainer	portainer	*
	portainer	portainer	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4",
              "versionEndExcluding": "2.33.8",
              "versionStartIncluding": "2.33.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "69AF042A-AD6A-4580-9862-B9C1E54946DF",
              "versionEndExcluding": "2.39.1",
              "versionStartIncluding": "2.39.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1."
    }
  ],
  "id": "CVE-2026-44884",
  "lastModified": "2026-06-01T18:07:59.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.0,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-28T22:16:59.677",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-CQPQ-2FGR-8MVC

Vulnerability from github – Published: 2026-05-14 16:34 – Updated: 2026-05-14 16:34

Summary

Portainer missing authorization on custom template file endpoint, which exposes template content

Details

Summary

A missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read.

Severity

Medium

CWE-862 — Missing Authorization

Exploitation requires an authenticated user account and at least one custom template to exist. Template files are returned verbatim and may contain embedded credentials.

Affected Versions

The vulnerability exists in every Portainer release since custom templates were introduced — the customTemplateFile handler has never performed an authorization check.

Fixes are included in the following releases:

Branch	First vulnerable	Fixed in
2.33.x (LTS)	2.33.0	2.33.8
2.39.x (LTS)	2.39.0	2.39.1

Portainer 2.40.0 and later are not affected — the fix was already on develop when the 2.40.x STS line branched. Portainer LTS branches receive fixes for 6 months plus a 3-month overlap after the next LTS ships. All releases prior to 2.33.0 are end-of-life and will not receive a fix; users on EOL versions should upgrade to a supported release.

Workarounds

There is no runtime configuration that blocks the vulnerable endpoint directly. Administrators who cannot immediately upgrade can reduce exposure by:

Avoiding storing secrets in custom templates until the patched release is deployed. Move sensitive configuration values to Portainer environment variables or an external secret store.
Reviewing existing custom templates for embedded secrets. Assume any secret previously stored in a custom template on an unpatched instance has been exposed to every authenticated user and rotate accordingly.

Neither replaces the fix.

Affected Code

The customTemplateFile handler in api/http/handler/customtemplates/customtemplate_file.go (lines 30-53) retrieves a custom template by its numeric ID and returns the file content without performing any authorization check.

All other custom template endpoints properly verify access:

Endpoint	Method	Authorization Check
`/api/custom_templates/{id}`	GET (inspect)	`userCanEditTemplate()` + `UserCanAccessResource()`
`/api/custom_templates/{id}`	PUT (update)	`userCanEditTemplate()`
`/api/custom_templates/{id}`	DELETE	`userCanEditTemplate()`
`/api/custom_templates`	GET (list)	`FilterAuthorizedCustomTemplates()`
`/api/custom_templates/{id}/file`	GET	None

Vulnerable code (customtemplate_file.go:30-53):

func (handler *Handler) customTemplateFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
    customTemplateID, _ := request.RetrieveNumericRouteVariableValue(r, "id")
    customTemplate, _ := handler.DataStore.CustomTemplate().Read(portainer.CustomTemplateID(customTemplateID))
    // NO AUTHORIZATION CHECK
    fileContent, _ := handler.FileService.GetFileContent(customTemplate.ProjectPath, entryPath)
    return response.JSON(w, &fileResponse{FileContent: string(fileContent)})
}

Secure reference (customtemplate_inspect.go:50-75):

canEdit := userCanEditTemplate(customTemplate, securityContext)
hasAccess := authorization.UserCanAccessResource(securityContext.UserID, teamIDs, resourceControl)
if !canEdit && !hasAccess {
    return httperror.Forbidden("Access denied to resource", httperrors.ErrResourceAccessDenied)
}

Impact

Any authenticated user (including the lowest-privilege standard user) can read the file content of every custom template in the instance. Custom templates commonly contain Docker Compose configuration, which may include environment-specific secrets such as database connection strings, API tokens, or registry credentials.

Timeline

2026-02-11: Reported via GitHub Security Advisory by duddnr0615k.
2026-03-04: Fix merged to develop and cherry-picked to release/2.39.
2026-03-19: 2.39.1 released with fix.
2026-03-25: 2.40.0 released with fix already present from branch cut.
2026-05-07: 2.33.8 released.

Credit

duddnr0615k — identified and reported the missing authorization check on the custom template file endpoint.

Severity

6.0 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/portainer/portainer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.33.0"
            },
            {
              "fixed": "2.33.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/portainer/portainer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.39.0"
            },
            {
              "fixed": "2.39.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T16:34:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nA missing authorization vulnerability in the Custom Template file endpoint (`GET /api/custom_templates/{id}/file`) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read.\n\n## Severity\n\n**Medium**\n\n**CWE-862** \u2014 Missing Authorization\n\nExploitation requires an authenticated user account and at least one custom template to exist. Template files are returned verbatim and may contain embedded credentials.\n\n## Affected Versions\n\nThe vulnerability exists in every Portainer release since custom templates were introduced \u2014 the `customTemplateFile` handler has never performed an authorization check.\n\nFixes are included in the following releases:\n\n| Branch              | First vulnerable | Fixed in   |\n|---------------------|------------------|------------|\n| 2.33.x (LTS)        | 2.33.0           | **2.33.8** |\n| 2.39.x (LTS)        | 2.39.0           | **2.39.1** |\n\nPortainer 2.40.0 and later are not affected \u2014 the fix was already on `develop` when the 2.40.x STS line branched. Portainer LTS branches receive fixes for 6 months plus a 3-month overlap after the next LTS ships. All releases **prior to 2.33.0 are end-of-life** and will not receive a fix; users on EOL versions should upgrade to a supported release.\n\n## Workarounds\n\nThere is no runtime configuration that blocks the vulnerable endpoint directly. Administrators who cannot immediately upgrade can reduce exposure by:\n\n- **Avoiding storing secrets in custom templates** until the patched release is deployed. Move sensitive configuration values to Portainer environment variables or an external secret store.\n- **Reviewing existing custom templates** for embedded secrets. Assume any secret previously stored in a custom template on an unpatched instance has been exposed to every authenticated user and rotate accordingly.\n\nNeither replaces the fix.\n\n## Affected Code\nThe `customTemplateFile` handler in `api/http/handler/customtemplates/customtemplate_file.go` (lines 30-53) retrieves a custom template by its numeric ID and returns the file content without performing any authorization check.\n\nAll other custom template endpoints properly verify access:\n\n| Endpoint | Method | Authorization Check |\n|----------|--------|-------------------|\n| `/api/custom_templates/{id}` | GET (inspect) | `userCanEditTemplate()` + `UserCanAccessResource()` |\n| `/api/custom_templates/{id}` | PUT (update) | `userCanEditTemplate()` |\n| `/api/custom_templates/{id}` | DELETE | `userCanEditTemplate()` |\n| `/api/custom_templates` | GET (list) | `FilterAuthorizedCustomTemplates()` |\n| **`/api/custom_templates/{id}/file`** | **GET** | **None** |\n\n**Vulnerable code** (`customtemplate_file.go:30-53`):\n```go\nfunc (handler *Handler) customTemplateFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {\n    customTemplateID, _ := request.RetrieveNumericRouteVariableValue(r, \"id\")\n    customTemplate, _ := handler.DataStore.CustomTemplate().Read(portainer.CustomTemplateID(customTemplateID))\n    // NO AUTHORIZATION CHECK\n    fileContent, _ := handler.FileService.GetFileContent(customTemplate.ProjectPath, entryPath)\n    return response.JSON(w, \u0026fileResponse{FileContent: string(fileContent)})\n}\n```\n\n**Secure reference** (`customtemplate_inspect.go:50-75`):\n```go\ncanEdit := userCanEditTemplate(customTemplate, securityContext)\nhasAccess := authorization.UserCanAccessResource(securityContext.UserID, teamIDs, resourceControl)\nif !canEdit \u0026\u0026 !hasAccess {\n    return httperror.Forbidden(\"Access denied to resource\", httperrors.ErrResourceAccessDenied)\n}\n```\n\n## Impact\nAny authenticated user (including the lowest-privilege standard user) can read the file content of every custom template in the instance. Custom templates commonly contain Docker Compose configuration, which may include environment-specific secrets such as database connection strings, API tokens, or registry credentials.\n\n## Timeline\n\n- 2026-02-11: Reported via GitHub Security Advisory by **duddnr0615k**.\n- 2026-03-04: Fix merged to `develop` and cherry-picked to `release/2.39`.\n- 2026-03-19: 2.39.1 released with fix.\n- 2026-03-25: 2.40.0 released with fix already present from branch cut.\n- 2026-05-07: 2.33.8 released.\n\n## Credit\n\n- **duddnr0615k** \u2014 identified and reported the missing authorization check on the custom template file endpoint.",
  "id": "GHSA-cqpq-2fgr-8mvc",
  "modified": "2026-05-14T16:34:02Z",
  "published": "2026-05-14T16:34:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/portainer/portainer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/portainer/portainer/releases/tag/2.33.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/portainer/portainer/releases/tag/2.39.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Portainer missing authorization on custom template file endpoint, which exposes template content"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44884 (GCVE-0-2026-44884)

FKIE_CVE-2026-44884

GHSA-CQPQ-2FGR-8MVC

Summary

Severity

Affected Versions

Workarounds

Affected Code

Impact

Timeline

Credit

Tags

Sightings

Nomenclature