AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-m8fg-67j7-cx4v: Portainer has a path traversal in backup archive extraction that allows arbitrary file write

mediumvulnerability

security

Source: GitHub Advisory DatabaseMay 14, 2026CVE-2026-44885

Summary

Portainer's backup restore feature has a path traversal vulnerability (a flaw that lets attackers access files outside intended directories) in how it extracts `.tar.gz` archive files. An attacker with administrator access could craft a malicious archive that writes files to arbitrary locations on the server, potentially compromising the system.

Solution / Mitigation

Upgrade to Portainer 2.39.0 or later, or for the 2.33.x LTS branch, upgrade to 2.33.8. The fix replaces the unsafe `filepath.Clean(filepath.Join())` path construction with `filesystem.JoinPaths`, which prevents directory traversal. As a temporary workaround if you cannot upgrade immediately: only restore archives from trusted sources and use Portainer's optional backup encryption feature, which requires the correct passphrase to decrypt before extraction.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 14, 2026

Classification

Attack SophisticationModerate

Affected Packages

github.com/portainer/portainer@>= 2.33.0, < 2.33.8 (fixed: 2.33.8)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-m8fg-67j7-cx4v

First tracked: May 14, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%