CVE-2026-44884: Portainer Custom Template Information Disclosure Vulnerability
Portainer Community Edition versions 2.33.0 through 2.33.7 and 2.39.0 contain a flaw that lets any logged-in user view template files they shouldn't have access to. By trying different ID numbers, an attacker can enumerate and read custom template files that may hold sensitive credentials or connection strings—data that administrators likely assume only authorized users can see. The vulnerability has been patched in versions 2.33.8 and 2.39.1.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
A missing authorization check in the GET /api/custom_templates/{id}/file endpoint fails to validate whether the authenticated user has Resource Control permissions to access a specific custom template. The endpoint accepts sequential integer IDs and returns file content without verifying access restrictions, allowing any authenticated user to bypass intended RBAC boundaries through ID enumeration. The vulnerability affects Portainer Community Edition from 2.33.0 up to (but not including) 2.33.8, and 2.39.0 up to (but not including) 2.39.1.
Business impact
Organizations deploying Portainer for multi-tenant or role-separated container management face information disclosure risk. Custom templates often embed environment-specific credentials, API tokens, registry secrets, and database connection strings. An insider or compromised standard user account can extract these templates, potentially gaining lateral movement capability or access to backend systems the template was designed to interact with. In regulated environments, unauthorized credential exposure may trigger compliance reporting obligations.
Affected systems
Portainer Community Edition versions 2.33.0 through 2.33.7 (inclusive) and version 2.39.0 are affected. Version 2.33.8 and 2.39.1 contain the fix. Deployments on Docker, Swarm, Kubernetes, or Azure Container Instances using vulnerable Portainer versions require immediate attention. Enterprise Edition status should be verified against vendor guidance.
Exploitability
Exploitation requires valid authentication—an attacker must have a legitimate Portainer login, though any privilege level suffices. Once authenticated, the attack is trivial: simple HTTP GET requests with incremented template IDs will retrieve files without user interaction. No special network access, uncommon tools, or timing constraints are needed. The CVSS score of 6.5 reflects the requirement for prior authentication but acknowledges the high confidentiality impact and ease of execution.
Remediation
Upgrade Portainer Community Edition to version 2.33.8 or 2.39.1 or later. Verify the deployed version matches your release series (2.33.x or 2.39.x) and confirm the patch version after upgrade. Review custom templates for sensitive data and consider rotating any credentials that may have been exposed during the vulnerable window. Audit access logs for suspicious enumeration of template IDs.
Patch guidance
Download and deploy Portainer Community Edition 2.33.8 (for users on the 2.33.x line) or 2.39.1 (for users on the 2.39.x line) from the official Portainer release repository. Test in a non-production environment first to confirm compatibility with your orchestration platform. Verify the fix by confirming the endpoint now enforces Resource Control checks; attempt to retrieve a custom template ID for which your test account lacks permission and expect a 403 Forbidden response. Document the patch timestamp for compliance records.
Detection guidance
Monitor for repeated GET requests to /api/custom_templates/{id}/file with sequential or rapidly changing ID parameters from a single authenticated user, especially from accounts with limited permissions. Inspect audit logs for template file access patterns inconsistent with user role. Implement API request logging with parameter capture to identify enumeration attempts. Consider restricting direct API access to known integration points and enforcing rate limits on template endpoint queries.
Why prioritize this
Although rated MEDIUM severity, this vulnerability warrants prompt patching because it directly exposes secrets and credentials in multi-user or multi-tenant deployments. The barrier to exploitation is low (authentication + simple enumeration), the impact is high (credential disclosure), and template files are frequently used to store sensitive configuration. Organizations with multiple users or roles in Portainer should treat this as high priority.
Risk score, explained
CVSS 6.5 reflects: Attack Vector = Network (endpoint is HTTP/HTTPS-accessible), Attack Complexity = Low (no special conditions), Privileges Required = Low (any authenticated user), User Interaction = None (direct API call), Scope = Unchanged (no privilege escalation beyond reading templates), Confidentiality = High (secrets exposed), Integrity = None, Availability = None. The score appropriately captures that this is a pure information disclosure flaw with a low execution bar but significant business consequence.
Frequently asked questions
Do we need to patch both 2.33.8 and 2.39.1, or just one?
Patch the version your deployment uses. If you run 2.33.x, upgrade to 2.33.8 or later. If you run 2.39.x, upgrade to 2.39.1 or later. You do not need both unless you maintain separate Portainer instances on different version tracks.
Can we detect if this vulnerability was exploited in our environment?
Yes, review Portainer's audit logs and API access logs for GET requests to /api/custom_templates/{id}/file. Look for patterns of sequential ID requests from standard-privilege accounts or unusual template file accesses. If your logging is limited, consider enabling detailed API logging before patching and audit the interval between published date (2026-05-28) and your patch date.
Are custom templates the only exposure, or can other endpoints be affected?
This CVE specifically targets the custom template file endpoint. However, after patching, conduct a security review of other sensitive endpoints in your Portainer API to ensure similar authorization checks are in place. Use the vendor's security guidance or engage Portainer support for a broader assessment.
Do we have to rotate all credentials stored in templates?
Rotation is prudent if you cannot confirm your deployment was not accessed during the vulnerable window, or if you operate in a regulated environment where credential exposure must be reported. At minimum, rotate credentials for templates that were modified or accessed immediately before patching. Document the rotation for audit purposes.
This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Organizations should verify all technical details against official Portainer vendor advisories and test patches in controlled environments before production deployment. Assume all version numbers, dates, and CVSS scores in this document are accurate as of publication; consult primary vendor sources to confirm current status and any additional guidance. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for any reliance on it. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-44848HIGHPortainer Plugin Management RBAC Bypass – Privilege Escalation in Community Edition
- CVE-2026-44849HIGHPortainer EndpointSecuritySettings Bypass via Docker Swarm API
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP