CVE-2026-33590— Insecure default permissions in Portainer CE

AI Predicted 7.8 Difficulty: Easy EPSS 0.05% · P16 Updated May 30, 2026

Possible ATT&CK Techniques 2AI

T1059 · Command and Scripting Interpreter T1078 · Valid Accounts

Affected Version Matrix 2

Vendor	Product	Version Range	Status
Portainer	Portainer Community Edition	`< 2.39.0`	affected
		`< 2.38.0`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Insecure default permissions in Portainer CE

Source: NVD (National Vulnerability Database)

Vulnerability Description

Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent access on the host.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

缺省权限不正确

Source: NVD (National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Portainer	Portainer Community Edition	0 ~ 2.39.0	-

II. Public POCs for CVE-2026-33590

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-33590

请登录查看更多情报信息。

Patches & Fixes for CVE-2026-33590 (2)

Security Blog Posts for CVE-2026-33590 (1)

🔗 Improving Portainer Security Read full article third-party-advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-33590

Same Patch Batch · Portainer · 2026-05-28 · 9 CVEs total

CVE-2026-44850	8.5 HIGH	Portainer: Bind-mount restriction bypass via HostConfig.Mounts
CVE-2026-44882	8.1 HIGH	Portainer: Kubernetes middleware continues after token validation failure, bypassing endpo
CVE-2026-44885	5.5 MEDIUM	Portainer: Path traversal in backup archive extraction allows arbitrary file write
CVE-2026-44881		Portainer: Arbitrary File Read via Git Symlink Injection in Stack Auto-Update
CVE-2026-44884		Portainer: Missing authorization on custom template file endpoint exposes template content
CVE-2026-44848		Portainer: Missing authorization on Docker plugin endpoints allows host RCE
CVE-2026-44883		Portainer: JWT accepted in URL query leaks tokens to logs and referers
CVE-2026-44849		Portainer: Endpoint security bypass via Swarm service create/update

IV. Related Vulnerabilities

Same vendor: Portainer

Same weakness: CWE-276

V. Comments for CVE-2026-33590

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-33590— Insecure default permissions in Portainer CE

Possible ATT&CK Techniques 2AI

Affected Version Matrix 2

I. Basic Information for CVE-2026-33590

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-33590

III. Intelligence Information for CVE-2026-33590

Patches & Fixes for CVE-2026-33590 (2)

Security Blog Posts for CVE-2026-33590 (1)

Same Patch Batch · Portainer · 2026-05-28 · 9 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-33590

Leave a comment