Skip to content

portainer

v2.39.2 Security

This release includes 29 security fixes for security teams reviewing exposed deployments.

Published 27d Containers & Orchestration
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 29 known CVEs

Topics

docker docker-deployment docker-swarm docker-ui kubernetes moby
+2 more
portainer ui

Summary

AI summary

Docker API proxy authorisation bypass that allowed regular users to circumvent deny-plugin restrictions was fixed.

Full changelog

Known issues

  • On Async Edge environments, an invalid update schedule date can be displayed when browsing a snapshot

Known issues with Podman

  • Podman environments aren't supported by auto-onboarding script
  • It's not possible to add Podman environments via socket, when running a Portainer server on Docker (and vice versa)
  • Support for only CentOS 9, Podman 5 rootful

Changes

  • Fixed an issue where the kubectl-shell-image flag only takes effect on the first Portainer run
  • Fixed an issue where deleting a kube edge stack results in a downed environment
  • Fixed an issue where Edge stack deployment retries stopped working
  • Fixed an issue with saving Git credentials
  • Fixed a Docker API proxy authorisation bypass that allowed regular users to circumvent deny-plugin restrictions
  • Changed a default setting to enforce server-side EdgeID on first connection
  • Fixed a bind mount restriction bypass via HostConfig.Mounts during container creation
  • Fixed a bind mount restriction bypass during Swarm service creation
  • Fixed a container capabilities and sysctl restriction bypass during Swarm service creation
  • Fixed an issue where the CronJob executions are not filtered by namespace - same-name CronJobs across namespaces show identical execution lists
  • Fixed an issue where the request failed with status code 504
  • Removed the option to pass a JWT token as a query string parameter
  • Upgraded typescript to v6
  • Fixed the TLS certificate uploading
  • Fixed a stacks issue where stack.env can be null
  • Ensured Portainer pulls images sequentially and respects COMPOSE_PARALLEL_LIMIT
  • Removed the possibility to clone Git repositories that contain symlinks
  • Fixed a DB write deadlock on ECR token refresh during stack redeployment
  • Enforced admin permissions when updating endpoint relations
  • Enforced admin permission in /system
  • Fixed handling no healthcheck logs output
  • Resolved the following CVEs:
    • CVE-2026-35469
    • CVE-2026-32280
    • CVE-2026-32281
    • CVE-2026-32283
    • CVE-2026-32282
    • CVE-2026-32289
    • CVE-2026-32288
    • CVE-2026-25679
    • CVE-2026-27142
    • CVE-2026-27139
    • CVE-2026-32285
    • CVE-2026-39883
    • CVE-2026-39882
    • GHSA-xmrv-pmrh-hhx2
    • CVE-2026-32952
    • CVE-2026-34165
    • CVE-2026-33762
    • GHSA-3xc5-wrhm-f963
    • CVE-2026-35206
    • GHSA-xmrv-pmrh-hhx2
    • CVE-2026-39882
    • GHSA-3xc5-wrhm-f963
    • CVE-2026-31789
    • CVE-2026-28387
    • CVE-2026-28388
    • CVE-2026-28390
    • CVE-2026-31790
    • CVE-2026-28389
    • CVE-2026-2673
    • CVE-2026-40200
    • CVE-2026-6042
    • CVE-2026-22184
    • CVE-2026-27171

Deprecated and removed features

Deprecated features

None.

Removed features

None

Security Fixes

  • CVE-2026-35469 — Docker API proxy authorisation bypass allowing regular users to circumvent deny-plugin restrictions
  • CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-32282, CVE-2026-32289, CVE-2026-32288, CVE-2026-25679, CVE-2026-27142, CVE-2026-27139, CVE-2026-32285, CVE-2026-39883, CVE-2026-39882, GHSA-xmrv-pmrh-hhx2, CVE-2026-32952, CVE-2026-34165, CVE-2026-33762, GHSA-3xc5-wrhm-f963, CVE-2026-35206, CVE-2026-31789, CVE-2026-28387, CVE-2026-28388, CVE-2026-28390, CVE-2026-31790, CVE-2026-28389, CVE-2026-2673, CVE-2026-40200, CVE-2026-6042, CVE-2026-22184, CVE-2026-27171
  • CVE-2026-32281
  • CVE-2026-32283
  • CVE-2026-32282
  • CVE-2026-32289
  • CVE-2026-32288
  • CVE-2026-25679
  • CVE-2026-27142
  • CVE-2026-27139
  • CVE-2026-32285
  • CVE-2026-39883
  • CVE-2026-39882
  • CVE-2026-32952
  • CVE-2026-34165
  • CVE-2026-33762
  • CVE-2026-35206
  • CVE-2026-39882
  • CVE-2026-31789
  • CVE-2026-28387
  • CVE-2026-28388
  • CVE-2026-28390
  • CVE-2026-31790
  • CVE-2026-28389
  • CVE-2026-2673
  • CVE-2026-40200
  • CVE-2026-6042
  • CVE-2026-22184
  • CVE-2026-27171
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track portainer

Get notified when new releases ship.

Sign up free

About portainer

Making Docker and Kubernetes management easy.

All releases →

Related context

Earlier breaking changes

  • v2.42.0 Removal of legacy CSRF fallback feature flag.

Beta — feedback welcome: [email protected]