Back to overview

CVE-2026-55761

HIGH
7.1
CVSS 4.0
Description
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, unauthenticated restore and administrator initialization endpoints (/api/restore and /api/users/admin/init) remain accessible during the five-minute setup window for uninitialized instances, allowing a network attacker to restore a crafted backup or create the first administrator account and gain full administrative access. This issue is fixed in versions 2.39.4 and 2.43.0.

Metadata

CVE ID
CVE-2026-55761
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 14:34 UTC
Published
2026-07-08 15:03 UTC
Last updated
2026-07-08 15:52 UTC
Primary CWE
CWE-287
CWE-287: Improper Authentication
Vendor / Product
portainer / portainer
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
portainer portainer >= 2.39.0, < 2.39.4
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287: Improper Authentication
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
References (6)
Back to overview