CVE-2026-55761 in Portainerinfo

Summary

by MITRE • 07/08/2026

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, unauthenticated restore and administrator initialization endpoints (/api/restore and /api/users/admin/init) remain accessible during the five-minute setup window for uninitialized instances, allowing a network attacker to restore a crafted backup or create the first administrator account and gain full administrative access. This issue is fixed in versions 2.39.4 and 2.43.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in Portainer Community Edition represents a critical authentication bypass flaw that exploits a temporal window during initial system setup. This weakness affects versions between 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, creating an extended period where unauthorized network attackers can gain full administrative privileges. The vulnerability specifically targets two critical endpoints: /api/restore and /api/users/admin/init which remain accessible even when the system should be in a locked initialization state. This design flaw allows malicious actors to craft and restore arbitrary backup files or initialize administrator accounts without proper authentication, effectively bypassing the entire security framework that should protect the initial setup phase.

The technical implementation of this vulnerability stems from improper access control enforcement during the five-minute window following system startup. During this period, the application fails to properly validate authentication status for critical administrative endpoints, creating an attack surface that persists longer than necessary for legitimate setup operations. The flaw aligns with CWE-284 Access Control Issues, specifically manifesting as insufficient authorization checks where authenticated access should be required but is not enforced. This vulnerability directly enables privilege escalation attacks and provides attackers with complete control over the container management platform, including the ability to deploy malicious containers, modify configurations, and access sensitive data stored within the environment.

The operational impact of this vulnerability extends beyond simple unauthorized access, as it provides attackers with comprehensive administrative capabilities that could lead to significant security breaches. Once an attacker gains access through these endpoints, they can manipulate the entire container orchestration environment, potentially compromising multiple services running across Docker, Swarm, Kubernetes and ACI platforms. The five-minute window creates a substantial attack surface that network-based adversaries can exploit without requiring any prior credentials or knowledge of existing user accounts. This vulnerability directly maps to ATT&CK technique T1078 Valid Accounts, as it allows attackers to establish persistent administrative access through legitimate system initialization mechanisms, and also relates to T1566 Phishing, since the attack can be executed remotely without user interaction.

Mitigation strategies for this vulnerability include immediate upgrade to patched versions 2.39.4 and 2.43.0 where the authentication bypass has been resolved. Organizations should implement network segmentation to restrict access to Portainer endpoints, particularly during initial setup phases, and consider deploying additional monitoring for unusual activity on these administrative endpoints. The fix addresses the core issue by properly enforcing authentication requirements even during the initialization window, ensuring that no unauthenticated requests can access critical system restoration or administrator creation functions. Security teams should also conduct thorough audits of their Portainer deployments to identify any potential exploitation attempts and implement proper network access controls to minimize exposure during setup phases while maintaining operational functionality.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!