CVE-2026-33590 Insecure Default Settings in Portainer allow for host takeover

Posted on 12 June 2026 by Sifis Bampionitakis

Portainer, a popular open source software for the management of containers was found to be vulnerable to insecure default settings in versions prior to 2.38.0. The insecure default settings allowed regular users of Portainer to execute arbitrary commands with elevated privileges on the container hosting environment, which could lead to a host takeover.

This design flaw could be interpreted as a 8.2 HIGH risk issue on the CVSS 3.1 scoring system.

ENISA allocated CVE-2026-33590 to track the issue.

Users of Portainer are recommended to upgrade their installation to version 2.38.0 (short term support) or 2.39.0 (long term support) or better. These releases carry fixes that remediate the issue. After applying the fixes it is recommended to review the Docker Security Settings of your setup.

Technical Analysis

More information on the Technical Analysis of the issue can be found in our research blog post.

Issue Timeline

• 2025-11-07 Issue reported to Vendor with 90 day disclosure policy
• 2025-11-08 Vendor response (issue under review)
• 2026-01-28 Vendor releases fix to Short Term Support version (2.38.0)
• 2026-02-19 Fix verification and Request for CVE allocation from Vendor (to no response)
• 2026-02-25 Vendor releases fix for Long Term Support version (2.39.0)
• 2026-02-26 intWave issues detailed research blog post about the issue
• 2026-03-23 Request for CVE allocation through EL CSIRT
• 2026-04-14 EL CSIRT contacts Vendor (to no response)
• 2026-05-28 ENISA allocates CVE-2026-33590
• 2026-06-12 Security advisory published on intWave website and OSS Security mailing list
  
  

Thanks

Many thanks to EL CSIRT and ENISA for helping us allocate a CVE for this issue.

We remain available for any further information required on the issue.