CVE-2026-44884

UNKNOWN 0.0

Portainer: Missing authorization on custom template file endpoint exposes template content

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

12th

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1.

CWE	CWE-862
Vendor	portainer
Product	portainer
Published	May 28, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for portainer portainer

Be the first to know when new unknown vulnerabilities affecting portainer portainer are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

portainer / portainer

>= 2.33.0, < 2.33.8 >= 2.39.0, < 2.39.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc