GHSA-CQPQ-2FGR-8MVC

Vulnerability from github – Published: 2026-05-14 16:34 – Updated: 2026-05-14 16:34
VLAI
Summary
Portainer missing authorization on custom template file endpoint, which exposes template content
Details

Summary

A missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read.

Severity

Medium

CWE-862 — Missing Authorization

Exploitation requires an authenticated user account and at least one custom template to exist. Template files are returned verbatim and may contain embedded credentials.

Affected Versions

The vulnerability exists in every Portainer release since custom templates were introduced — the customTemplateFile handler has never performed an authorization check.

Fixes are included in the following releases:

Branch First vulnerable Fixed in
2.33.x (LTS) 2.33.0 2.33.8
2.39.x (LTS) 2.39.0 2.39.1

Portainer 2.40.0 and later are not affected — the fix was already on develop when the 2.40.x STS line branched. Portainer LTS branches receive fixes for 6 months plus a 3-month overlap after the next LTS ships. All releases prior to 2.33.0 are end-of-life and will not receive a fix; users on EOL versions should upgrade to a supported release.

Workarounds

There is no runtime configuration that blocks the vulnerable endpoint directly. Administrators who cannot immediately upgrade can reduce exposure by:

  • Avoiding storing secrets in custom templates until the patched release is deployed. Move sensitive configuration values to Portainer environment variables or an external secret store.
  • Reviewing existing custom templates for embedded secrets. Assume any secret previously stored in a custom template on an unpatched instance has been exposed to every authenticated user and rotate accordingly.

Neither replaces the fix.

Affected Code

The customTemplateFile handler in api/http/handler/customtemplates/customtemplate_file.go (lines 30-53) retrieves a custom template by its numeric ID and returns the file content without performing any authorization check.

All other custom template endpoints properly verify access:

Endpoint Method Authorization Check
/api/custom_templates/{id} GET (inspect) userCanEditTemplate() + UserCanAccessResource()
/api/custom_templates/{id} PUT (update) userCanEditTemplate()
/api/custom_templates/{id} DELETE userCanEditTemplate()
/api/custom_templates GET (list) FilterAuthorizedCustomTemplates()
/api/custom_templates/{id}/file GET None

Vulnerable code (customtemplate_file.go:30-53):

func (handler *Handler) customTemplateFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
    customTemplateID, _ := request.RetrieveNumericRouteVariableValue(r, "id")
    customTemplate, _ := handler.DataStore.CustomTemplate().Read(portainer.CustomTemplateID(customTemplateID))
    // NO AUTHORIZATION CHECK
    fileContent, _ := handler.FileService.GetFileContent(customTemplate.ProjectPath, entryPath)
    return response.JSON(w, &fileResponse{FileContent: string(fileContent)})
}

Secure reference (customtemplate_inspect.go:50-75):

canEdit := userCanEditTemplate(customTemplate, securityContext)
hasAccess := authorization.UserCanAccessResource(securityContext.UserID, teamIDs, resourceControl)
if !canEdit && !hasAccess {
    return httperror.Forbidden("Access denied to resource", httperrors.ErrResourceAccessDenied)
}

Impact

Any authenticated user (including the lowest-privilege standard user) can read the file content of every custom template in the instance. Custom templates commonly contain Docker Compose configuration, which may include environment-specific secrets such as database connection strings, API tokens, or registry credentials.

Timeline

  • 2026-02-11: Reported via GitHub Security Advisory by duddnr0615k.
  • 2026-03-04: Fix merged to develop and cherry-picked to release/2.39.
  • 2026-03-19: 2.39.1 released with fix.
  • 2026-03-25: 2.40.0 released with fix already present from branch cut.
  • 2026-05-07: 2.33.8 released.

Credit

  • duddnr0615k — identified and reported the missing authorization check on the custom template file endpoint.
Severity
6.0 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/portainer/portainer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.33.0"
            },
            {
              "fixed": "2.33.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/portainer/portainer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.39.0"
            },
            {
              "fixed": "2.39.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T16:34:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nA missing authorization vulnerability in the Custom Template file endpoint (`GET /api/custom_templates/{id}/file`) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read.\n\n## Severity\n\n**Medium**\n\n**CWE-862** \u2014 Missing Authorization\n\nExploitation requires an authenticated user account and at least one custom template to exist. Template files are returned verbatim and may contain embedded credentials.\n\n## Affected Versions\n\nThe vulnerability exists in every Portainer release since custom templates were introduced \u2014 the `customTemplateFile` handler has never performed an authorization check.\n\nFixes are included in the following releases:\n\n| Branch              | First vulnerable | Fixed in   |\n|---------------------|------------------|------------|\n| 2.33.x (LTS)        | 2.33.0           | **2.33.8** |\n| 2.39.x (LTS)        | 2.39.0           | **2.39.1** |\n\nPortainer 2.40.0 and later are not affected \u2014 the fix was already on `develop` when the 2.40.x STS line branched. Portainer LTS branches receive fixes for 6 months plus a 3-month overlap after the next LTS ships. All releases **prior to 2.33.0 are end-of-life** and will not receive a fix; users on EOL versions should upgrade to a supported release.\n\n## Workarounds\n\nThere is no runtime configuration that blocks the vulnerable endpoint directly. Administrators who cannot immediately upgrade can reduce exposure by:\n\n- **Avoiding storing secrets in custom templates** until the patched release is deployed. Move sensitive configuration values to Portainer environment variables or an external secret store.\n- **Reviewing existing custom templates** for embedded secrets. Assume any secret previously stored in a custom template on an unpatched instance has been exposed to every authenticated user and rotate accordingly.\n\nNeither replaces the fix.\n\n## Affected Code\nThe `customTemplateFile` handler in `api/http/handler/customtemplates/customtemplate_file.go` (lines 30-53) retrieves a custom template by its numeric ID and returns the file content without performing any authorization check.\n\nAll other custom template endpoints properly verify access:\n\n| Endpoint | Method | Authorization Check |\n|----------|--------|-------------------|\n| `/api/custom_templates/{id}` | GET (inspect) | `userCanEditTemplate()` + `UserCanAccessResource()` |\n| `/api/custom_templates/{id}` | PUT (update) | `userCanEditTemplate()` |\n| `/api/custom_templates/{id}` | DELETE | `userCanEditTemplate()` |\n| `/api/custom_templates` | GET (list) | `FilterAuthorizedCustomTemplates()` |\n| **`/api/custom_templates/{id}/file`** | **GET** | **None** |\n\n**Vulnerable code** (`customtemplate_file.go:30-53`):\n```go\nfunc (handler *Handler) customTemplateFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {\n    customTemplateID, _ := request.RetrieveNumericRouteVariableValue(r, \"id\")\n    customTemplate, _ := handler.DataStore.CustomTemplate().Read(portainer.CustomTemplateID(customTemplateID))\n    // NO AUTHORIZATION CHECK\n    fileContent, _ := handler.FileService.GetFileContent(customTemplate.ProjectPath, entryPath)\n    return response.JSON(w, \u0026fileResponse{FileContent: string(fileContent)})\n}\n```\n\n**Secure reference** (`customtemplate_inspect.go:50-75`):\n```go\ncanEdit := userCanEditTemplate(customTemplate, securityContext)\nhasAccess := authorization.UserCanAccessResource(securityContext.UserID, teamIDs, resourceControl)\nif !canEdit \u0026\u0026 !hasAccess {\n    return httperror.Forbidden(\"Access denied to resource\", httperrors.ErrResourceAccessDenied)\n}\n```\n\n## Impact\nAny authenticated user (including the lowest-privilege standard user) can read the file content of every custom template in the instance. Custom templates commonly contain Docker Compose configuration, which may include environment-specific secrets such as database connection strings, API tokens, or registry credentials.\n\n## Timeline\n\n- 2026-02-11: Reported via GitHub Security Advisory by **duddnr0615k**.\n- 2026-03-04: Fix merged to `develop` and cherry-picked to `release/2.39`.\n- 2026-03-19: 2.39.1 released with fix.\n- 2026-03-25: 2.40.0 released with fix already present from branch cut.\n- 2026-05-07: 2.33.8 released.\n\n## Credit\n\n- **duddnr0615k** \u2014 identified and reported the missing authorization check on the custom template file endpoint.",
  "id": "GHSA-cqpq-2fgr-8mvc",
  "modified": "2026-05-14T16:34:02Z",
  "published": "2026-05-14T16:34:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/portainer/portainer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/portainer/portainer/releases/tag/2.33.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/portainer/portainer/releases/tag/2.39.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Portainer missing authorization on custom template file endpoint, which exposes template content"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.