CVE-2026-33590 PUBLISHED

Insecure default permissions in Portainer CE

Assigner: ENISA
Reserved: 23.03.2026 Published: 28.05.2026 Updated: 28.05.2026

Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent

access on the host.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
CVSS Score: 8.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Portainer
Product	Portainer Community Edition
Versions	Default: unaffected affected from 0 to 2.39.0 (excl.) affected from 0 to 2.38.0 (excl.)

References

Problem Types

CWE-276 Incorrect default permissions CWE