GHSA-JVP4-Q659-95MJ
Vulnerability from github – Published: 2026-05-14 16:33 – Updated: 2026-05-14 16:33
VLAI
Summary
Portainer: JWT accepted in URL query leaks tokens to logs and referers
Details
Summary
Portainer's authentication middleware accepts JWT bearer tokens passed as the ?token=<JWT> URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers on outbound navigation, so any JWT passed this way can be harvested by anyone with access to those logs or by an external site the user subsequently visits. A leaked token grants the full privileges of the user it was issued to, until the token expires (default 8 hours, configurable).
The ?token= parameter was used by Portainer's browser-based container attach, exec, and pod shell features, so any user with exec or attach rights on a container was exposed — not only administrators.
Severity
High
Attack complexity is High because exploitation depends on the attacker obtaining a leaked token from a log, referer, or shared URL. Once obtained, a leaked token grants the privileges of the user it was issued to; for administrator tokens this compromises confidentiality, integrity, and availability of Portainer itself and of every Docker/Kubernetes environment it manages — container exec and stack deployment make host-level compromise reachable, so subsequent-system impact is also High.
Affected Versions
Query-parameter token acceptance has existed since JWT authentication was introduced in Portainer.
Fixes are included in the following releases:
| Branch | First vulnerable | Fixed in |
|---|---|---|
| 2.33.x (LTS) | 2.33.0 | 2.33.8 |
| 2.39.x (LTS) | 2.39.0 | 2.39.2 |
| 2.40.x (STS) | all prior | 2.41.0 |
Portainer releases prior to 2.33.0 are end-of-life and will not receive a fix. Users on EOL versions should upgrade to a supported LTS branch.
Workarounds
Administrators who cannot immediately upgrade can reduce exposure by:
- Stripping
?token=at the reverse proxy. A rewrite rule in nginx, Traefik, or equivalent that removes thetokenquery parameter before the request reaches Portainer blocks the query-parameter auth path entirely. Container exec and interactive shells rely on the query-parameter token for WebSocket upgrade and will stop working until the patched release is deployed. - Auditing existing logs. Search reverse-proxy access logs and application logs for
?token=or&token=occurrences and treat any captured JWT as compromised. Resetting the affected user's password invalidates their sessions; reducing the JWT session timeout in Portainer settings shortens the exposure window for tokens already issued. - Administrator hygiene. Do not share Portainer URLs that contain
?token=in chat, email, or tickets, and avoid navigating to external sites from within the Portainer UI on unpatched instances — theRefererheader will carry the token.
None of these replace the fix.
Affected Code
Pre-fix, extractBearerToken in api/http/security/bouncer.go read the JWT from the token query parameter before falling back to the Authorization header. The query.Del("token") call scrubs the parameter from r.URL.RawQuery on the way through Portainer, but by that point the original URL has already been recorded by any upstream reverse proxy, access logger, or browser.
func extractBearerToken(r *http.Request) (string, bool) {
query := r.URL.Query()
token := query.Get("token")
if token != "" {
query.Del("token")
r.URL.RawQuery = query.Encode()
return token, true
}
tokens, ok := r.Header[jwtTokenHeader]
if !ok || len(tokens) == 0 {
return "", false
}
// ...
}
The fix removes the query-parameter path entirely. Authenticated requests now carry the JWT via the Authorization header for API clients, or via the portainer_api_key HttpOnly cookie for the browser UI — cookies are sent automatically on same-origin WebSocket upgrade requests, so the browser-based container attach, exec, and pod shell features continue to work without exposing the token in the URL. The WebSocket handlers that previously documented ?token= as a required query parameter have been updated to match.
Impact
- Token leakage to infrastructure. Intermediate systems that observe the request URL — reverse proxies, load balancers, access logs, WAFs, and corporate network monitoring — capture the full JWT in plaintext.
- Token leakage via the browser. URLs containing
?token=are recorded in browser history and forwarded in theRefererheader on any outbound navigation from the Portainer UI. - Account takeover. Anyone with access to a leaked JWT acts as the authenticated user for the remainder of the token's validity, without needing the password. If the leaked token belongs to an administrator, the attacker gains full API access including user management, container exec, and stack deployment.
- Reach beyond Portainer. Container exec with an administrator JWT reaches the host filesystem of managed environments and can be used to execute commands on those hosts.
Timeline
- 2026-03-06: Reported via GitHub Security Advisory by scanpwn.
- 2026-04-14: Fix merged to
develop. - 2026-04-29: 2.41.0 released.
- 2026-05-07: 2.39.2-LTS and 2.33.8-LTS released.
Credit
- scanpwn — identified and reported the query-parameter JWT acceptance and the resulting token-leakage vectors.
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/portainer/portainer"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/portainer/portainer"
},
"ranges": [
{
"events": [
{
"introduced": "2.39.0"
},
{
"fixed": "2.39.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/portainer/portainer"
},
"ranges": [
{
"events": [
{
"introduced": "2.40.0"
},
{
"fixed": "2.41.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44883"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T16:33:48Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nPortainer\u0027s authentication middleware accepts JWT bearer tokens passed as the `?token=\u003cJWT\u003e` URL query parameter on any authenticated API endpoint, in addition to the standard `Authorization: Bearer` header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP `Referer` headers on outbound navigation, so any JWT passed this way can be harvested by anyone with access to those logs or by an external site the user subsequently visits. A leaked token grants the full privileges of the user it was issued to, until the token expires (default 8 hours, configurable).\n\nThe `?token=` parameter was used by Portainer\u0027s browser-based container attach, exec, and pod shell features, so any user with exec or attach rights on a container was exposed \u2014 not only administrators.\n\n## Severity\n**High**\n\nAttack complexity is High because exploitation depends on the attacker obtaining a leaked token from a log, referer, or shared URL. Once obtained, a leaked token grants the privileges of the user it was issued to; for administrator tokens this compromises confidentiality, integrity, and availability of Portainer itself and of every Docker/Kubernetes environment it manages \u2014 container exec and stack deployment make host-level compromise reachable, so subsequent-system impact is also High.\n\n## Affected Versions\nQuery-parameter token acceptance has existed since JWT authentication was introduced in Portainer.\n\nFixes are included in the following releases:\n\n| Branch | First vulnerable | Fixed in |\n|---------------------|------------------|------------|\n| 2.33.x (LTS) | 2.33.0 | **2.33.8** |\n| 2.39.x (LTS) | 2.39.0 | **2.39.2** |\n| 2.40.x (STS) | all prior | **2.41.0** |\n\nPortainer releases prior to 2.33.0 are end-of-life and will not receive a fix. Users on EOL versions should upgrade to a supported LTS branch.\n\n## Workarounds\nAdministrators who cannot immediately upgrade can reduce exposure by:\n\n- **Stripping `?token=` at the reverse proxy.** A rewrite rule in nginx, Traefik, or equivalent that removes the `token` query parameter before the request reaches Portainer blocks the query-parameter auth path entirely. Container exec and interactive shells rely on the query-parameter token for WebSocket upgrade and will stop working until the patched release is deployed.\n- **Auditing existing logs.** Search reverse-proxy access logs and application logs for `?token=` or `\u0026token=` occurrences and treat any captured JWT as compromised. Resetting the affected user\u0027s password invalidates their sessions; reducing the JWT session timeout in Portainer settings shortens the exposure window for tokens already issued.\n- **Administrator hygiene.** Do not share Portainer URLs that contain `?token=` in chat, email, or tickets, and avoid navigating to external sites from within the Portainer UI on unpatched instances \u2014 the `Referer` header will carry the token.\n\nNone of these replace the fix.\n\n## Affected Code\nPre-fix, `extractBearerToken` in `api/http/security/bouncer.go` read the JWT from the `token` query parameter before falling back to the `Authorization` header. The `query.Del(\"token\")` call scrubs the parameter from `r.URL.RawQuery` on the way through Portainer, but by that point the original URL has already been recorded by any upstream reverse proxy, access logger, or browser.\n\n```go\nfunc extractBearerToken(r *http.Request) (string, bool) {\n query := r.URL.Query()\n token := query.Get(\"token\")\n if token != \"\" {\n query.Del(\"token\")\n r.URL.RawQuery = query.Encode()\n return token, true\n }\n\n tokens, ok := r.Header[jwtTokenHeader]\n if !ok || len(tokens) == 0 {\n return \"\", false\n }\n // ...\n}\n```\n\nThe fix removes the query-parameter path entirely. Authenticated requests now carry the JWT via the `Authorization` header for API clients, or via the `portainer_api_key` HttpOnly cookie for the browser UI \u2014 cookies are sent automatically on same-origin WebSocket upgrade requests, so the browser-based container attach, exec, and pod shell features continue to work without exposing the token in the URL. The WebSocket handlers that previously documented `?token=` as a required query parameter have been updated to match.\n\n## Impact\n- **Token leakage to infrastructure.** Intermediate systems that observe the request URL \u2014 reverse proxies, load balancers, access logs, WAFs, and corporate network monitoring \u2014 capture the full JWT in plaintext.\n- **Token leakage via the browser.** URLs containing `?token=` are recorded in browser history and forwarded in the `Referer` header on any outbound navigation from the Portainer UI.\n- **Account takeover.** Anyone with access to a leaked JWT acts as the authenticated user for the remainder of the token\u0027s validity, without needing the password. If the leaked token belongs to an administrator, the attacker gains full API access including user management, container exec, and stack deployment.\n- **Reach beyond Portainer.** Container exec with an administrator JWT reaches the host filesystem of managed environments and can be used to execute commands on those hosts.\n\n## Timeline\n- 2026-03-06: Reported via GitHub Security Advisory by **scanpwn**.\n- 2026-04-14: Fix merged to `develop`.\n- 2026-04-29: 2.41.0 released.\n- 2026-05-07: 2.39.2-LTS and 2.33.8-LTS released.\n\n## Credit\n- **scanpwn** \u2014 identified and reported the query-parameter JWT acceptance and the resulting token-leakage vectors.",
"id": "GHSA-jvp4-q659-95mj",
"modified": "2026-05-14T16:33:48Z",
"published": "2026-05-14T16:33:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/security/advisories/GHSA-jvp4-q659-95mj"
},
{
"type": "PACKAGE",
"url": "https://github.com/portainer/portainer"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/releases/tag/2.33.8"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/releases/tag/2.39.2"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/releases/tag/2.41.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Portainer: JWT accepted in URL query leaks tokens to logs and referers"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…