portainer

Known issues

• On Async Edge environments, an invalid update schedule date can be displayed when browsing a snapshot.

Known issues with Podman support

• Support for only CentOS 9, Podman 5 rootful.

Changes

Breaking changes

Changes to the CSRF protection implementation may cause failures when upgrading:

• Removal of legacy CSRF fallback (scheduled). The legacy-csrf feature flag, introduced in 2.41 as a temporary migration aid, has been removed as scheduled. Users still relying on this flag must resolve any CSRF configuration issues before upgrading (see the 2.41 breaking changes for details). This change also resolves CVE-2025-47909.

New and improved features

• Added theme selector to the user menu, allowing switching between light, dark, and high-contrast themes without navigating to settings.
• Added GitOps sources list view and source detail view for managing Git sources used in deployments.
• Added a connectivity test before adding edge environments.
• Added Docker host disk usage display to the host details view.
• Replaced Kubernetes Volume view with 3 new tables for PV, PVC, SC (PersistentVolumes, PersistentVolumeClaims, StorageClasses).
• Added link ability between Kubernetes secrets and service account image pull secrets for private registry access.
• Added pod restart and pod delete support on the Kubernetes application details page.
• Improved Application Container list, separated pod info from containers list.
• Ported Swarm stack deployments to use libstack, eliminating the embedded Docker binary from CE/BE images.
• Added support for volumes-only mount paths in the agent, enabling environments where Docker volumes are accessible via non-default mount paths.
• Added missing snapshot collection for Edge Agents with long running Chisel connections.

Security improvements

• Fixed Docker exec endpoint to enforce container resource controls, preventing unauthorized exec access to containers.
• Fixed Docker proxy to enforce resource controls on /containers/{id}/attach/ws WebSocket endpoint.
• Fixed URL path rewriting to clear the RawPath field, preventing path traversal via percent-encoded paths.
• Changed a default setting to enforce server-side EdgeID on first connection.
• Authentication cookies now have the Secure attribute set automatically when Portainer is accessed over HTTPS.
• Upgraded golang.org/x/net to v0.54.0 to address CVE-2026-27141 and CVE-2026-33814.
• Upgraded github.com/go-git/go-git/v5 to v5.19.0 to address CVE-2026-34165, GHSA-3xc5-wrhm-f963, and CVE-2026-33762.
• Upgraded github.com/in-toto/in-toto-golang to v0.11.0 to address GHSA-pmwq-pjrm-6p5r.
• Upgraded github.com/Azure/go-ntlmssp to v0.1.1 to address CVE-2026-32952.
• Upgraded github.com/prometheus/prometheus to v0.311.3 to address CVE-2026-40179, GHSA-fw8g-cg8f-9j28, and CVE-2026-42151.

Bug fixes

• Fixed TLS configuration being accepted for Edge Agent environments via API (TLS is now correctly rejected for Edge Agent environment creation and updates).
• Fixed stack deployments hanging due to deadlock during ECR token refresh under concurrent stack deployments.
• Fixed Chisel panic caused by a negative WaitGroup counter.
• Fixed stack images being pulled in parallel causing rate-limiting failures; images are now pulled sequentially and COMPOSE_PARALLEL_LIMIT is respected.
• Fixed GitOps polling stopping permanently after a deployment error; auto-update now resumes correctly on subsequent polling cycles.
• Fixed GitOps auto-update skipping re-deployment when the commit hash was persisted before the deployment attempt; the hash is now only written after the deploy status is saved.
• Fixed an issue where editing a private git stack required re-entering credentials due to incorrect form validation and missing stack ID in gitops API calls.
• Fixed “Stack ID required” error appearing when viewing logs for containers not part of a stack.
• Fixed re-pull and redeploy operation to use the compose service for image pulling.
• Fixed kubectl-shell-image flag only taking effect on the first Portainer run; the flag is now re-applied on each restart.
• Fixed Kubernetes application edit buttons not working for Git-managed applications.
• Fixed effective access viewer not including policies when calculating user access.
• Fixed volume browsing failure when Docker data root is set to a non-default path.
• Fixed incorrect OS labels for edge agent and Docker API environments (Linux/Windows labels now aligned).
• Fixed change confirmation dialog incorrectly appearing during Helm deployment creation.
• Fixed Edge environment URLs displayed on the home page incorrectly showing the Portainer server URL; the URL is now hidden on the list view and the server/tunnel URLs are shown on the environment detail panel instead.
• Fixed environments with unknown version incorrectly showing as “outdated”.
• Fixed dropdown menus in the Omni wizard being hidden behind the sticky footer.
• Fixed missing icon in the host details view.
• Fixed sidebar parent menu items appearing misaligned.
• Fixed age filter on the home page not persisting across page reloads.
• Fixed Edge environment creation failing for CE users.

Deprecated and removed features

Deprecated features

None.

Removed features

• Removed OpenAMT integration.