portainer

v2.39.3 Security

This release includes 13 security fixes for security teams reviewing exposed deployments.

Published 6h Containers & Orchestration

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 13 known CVEs

Topics

docker docker-deployment docker-swarm docker-ui kubernetes moby

+2 more

portainer ui

Affected surfaces

auth rce_ssrf deps crypto_tls

ReleasePort's take

Moderate signal

editorial:auto 2h

ReleasePort 2.39.3 patches a team‑access escalation flaw in the AuthorizedResourceControlUpdate API and eliminates a full‑read SSRF vulnerability in the GitLab Registry Proxy endpoint.

Why it matters: The fix for severity 90 access escalation prevents privilege abuse; the SSRF remediation (severity 95) blocks unauthorized network reads. Operators should upgrade immediately to mitigate high‑impact risks.

Summary

AI summary

Fixed team access escalation, GitLab Registry Proxy SSRF, and multiple dependency vulnerabilities.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixed team access escalation via AuthorizedResourceControlUpdate logic flaw Fixed team access escalation via AuthorizedResourceControlUpdate logic flaw Source: llm_adapter@2026-06-04 Confidence: high	—
Security	Critical	Fixed full-read SSRF vulnerability in GitLab Registry Proxy endpoint Fixed full-read SSRF vulnerability in GitLab Registry Proxy endpoint Source: llm_adapter@2026-06-04 Confidence: high	—
Feature	Low	Improved edge environment snapshot reliability by proactively triggering snapshots Improved edge environment snapshot reliability by proactively triggering snapshots Source: llm_adapter@2026-06-04 Confidence: high	—
Dependency
Dependency	Critical	Bumped github.com/go-git/go-git/v5 to 5.18.0 addressing CVE-2026-34165, GHSA-3xc5-wrhm-f963, CVE-2026-33762 Bumped github.com/go-git/go-git/v5 to 5.18.0 addressing CVE-2026-34165, GHSA-3xc5-wrhm-f963, CVE-2026-33762 Source: llm_adapter@2026-06-04 Confidence: high	—
Dependency	Critical	Bumped golang.org/x/net to >=0.53.0 addressing CVE-2026-27141, CVE-2026-33814 Bumped golang.org/x/net to >=0.53.0 addressing CVE-2026-27141, CVE-2026-33814 Source: llm_adapter@2026-06-04 Confidence: high	—
Dependency	Critical	Bumped golang.org/x/crypto to 0.52.0 addressing multiple CVEs (CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-42508, CVE-2026-46595) Bumped golang.org/x/crypto to 0.52.0 addressing multiple CVEs (CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-42508, CVE-2026-46595) Source: llm_adapter@2026-06-04 Confidence: high	—
Dependency	High	Bumped in-toto-golang to 0.11.0 addressing GHSA-pmwq-pjrm-6p5r Bumped in-toto-golang to 0.11.0 addressing GHSA-pmwq-pjrm-6p5r Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix
Bugfix	Medium	Fixed panic in Chisel component Fixed panic in Chisel component Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Fixed "Re-pull image and redeploy" toggle malfunction Fixed "Re-pull image and redeploy" toggle malfunction Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Fixed Git Auto Update polling failure after improper shutdowns Fixed Git Auto Update polling failure after improper shutdowns Source: llm_adapter@2026-06-04 Confidence: high	—

Full changelog

Known issues

On Async Edge environments, an invalid update schedule date can be displayed when browsing a snapshot

Known issues with Podman support

Support for only CentOS 9, Podman 5 rootful
Auto onboarding a Podman environment defaults to "Standard" and not "Podman"
It's not possible to add Podman environments via socket, when running a Portainer server on Docker (and vice versa)

Changes

Fixed a panic in Chisel
Bumped in-toto-golang to 0.11.0 to address GHSA-pmwq-pjrm-6p5r
Fixed a team access escalation via AuthorizedResourceControlUpdate logic flaw
Fixed a full-read server-side request forgery (SSRF) vulnerability in the GitLab Registry Proxy endpoint that could be exploited via the X-Gitlab-Domain header
Bumped github.com/go-git/go-git/v5 to 5.18.0 to address the following CVEs:
- CVE-2026-34165
- GHSA-3xc5-wrhm-f963
- CVE-2026-33762
Bumped golang.org/x/net to >= 0.53.0 to address the following CVEs:
- CVE-2026-27141
- CVE-2026-33814
Fixed the "Re-pull image and redeploy" toggle
Improved edge environment snapshot reliability by proactively triggering snapshots
Bumped golang.org/x/crypto to 0.52.0 to address the following CVEs:
- CVE-2026-39830
- CVE-2026-39831
- CVE-2026-39832
- CVE-2026-39833
- CVE-2026-39834
- CVE-2026-42508
- CVE-2026-46595
Fixed a Git Auto Update polling failure for Stacks caused by improper shutdowns

Deprecated and removed features

None

Security Fixes

CVE-2026-34165 (fixed via github.com/go-git/go-git/v5 bump)
GHSA-3xc5-wrhm-f963 (fixed via github.com/go-git/go-git/v5 bump)
CVE-2026-33762 (fixed via github.com/go-git/go-git/v5 bump)
CVE-2026-27141 (fixed via golang.org/x/net bump >=0.53.0)
CVE-2026-33814 (fixed via golang.org/x/net bump >=0.53.0)
GHSA-pmwq-pjrm-6p5r (fixed via in-toto-golang bump to 0.11.0)
CVE-2026-39830 (fixed via golang.org/x/crypto bump to 0.52.0)
CVE-2026-39831 (fixed via golang.org/x/crypto bump to 0.52.0)
CVE-2026-39832 (fixed via golang.org/x/crypto bump to 0.52.0)
CVE-2026-39833 (fixed via golang.org/x/crypto bump to 0.52.0)
CVE-2026-39834 (fixed via golang.org/x/crypto bump to 0.52.0)
CVE-2026-42508 (fixed via golang.org/x/crypto bump to 0.52.0)
CVE-2026-46595 (fixed via golang.org/x/crypto bump to 0.52.0)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track portainer

Get notified when new releases ship.

About portainer

Making Docker and Kubernetes management easy.

All releases →

Related context

Related tools

Earlier breaking changes

v2.42.0 Removal of legacy CSRF fallback feature flag.