CVE-2026-44849 | portainer Community Edition up to 2.33.7/2.39.1/2.40.x Docker Swarm Service API authorization (GHSA-5fxq-qcf3-244w)

Portainer CE contains an authorization bypass (CVE-2026-44849) in the Docker Swarm Service API that can allow non-admin users to circumvent configured EndpointSecuritySettings (e.g., privileged mode, host PID, device mapping, capabilities, sysctls, security-opt, bind mounts); the issue is remotely exploitable in principle, has CVSS ~6.0–6.3, no public exploit was available at disclosure, and fixes are released in 2.33.8, 2.39.2, and 2.41.0.