CVE-2026-44884 | portainer Community Edition up to 2.33.7/2.39.0 Custom Template File Endpoint file authorization (GHSA-cqpq-2fgr-8mvc)

Portainer Community Edition (<= 2.33.7 / <= 2.39.0) contains a missing authorization vulnerability (CVE-2026-44884) in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) that allows any authenticated user to enumerate IDs and read custom template file contents — potentially exposing connection strings, API tokens, or registry credentials. The issue is remote but requires authentication; no public exploit is reported and the vendor fixed the flaw in versions 2.33.8 and 2.39.1. Upgrade to the patched releases is recommended.