CVE-2026-44881 | portainer Community Edition up to 2.33.7/2.39.1/2.40.x /api/stacks/{id}/file link following (GHSA-rpgq-m5fp-32wr)

Portainer Community Edition is affected by a link-following vulnerability (CVE-2026-44881) in the /api/stacks/{id}/file endpoint that allows authenticated users with rights to create or update Git-backed stacks to read arbitrary files by exploiting symlinked repository entries; technical details are published, no exploit is available, and the issue is fixed in Portainer CE 2.33.8, 2.39.2 and 2.41.0 — upgrade is recommended.