Portainer, Path Traversal, CVE-2026-XXXX (Medium)

Listen to this Post

How the vulnerability works

The vulnerability exists in Portainer’s backup‑restore functionality.

When a `.tar.gz` archive is uploaded, Portainer calls `ExtractTarGz()` in api/archive/targz.go.
Before the fix, this function constructed the final write path with filepath.Clean(filepath.Join(outputDirPath, header.Name)).
`filepath.Join()` lexically resolves `../` components, and `filepath.Clean()` normalises the result, but neither verifies that the resulting path stays inside outputDirPath.
Therefore, a malicious archive can contain a tar entry such as ../../etc/cron.d/evil.
When that path is cleaned and joined, it points to a location outside the extraction root.
Because the tar extraction does not enforce a “path containment” check, Portainer will write the file to that arbitrary location on the server filesystem.
This allows an attacker to bypass the intended directory restriction and write files anywhere the Portainer process has permission to write (in containerised deployments this is typically root).
The attack is classified as CWE‑22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., “Path Traversal”).

DailyCVE form

Platform: `Portainer`
Version: `< 2.39.0` Vulnerability: `Path Traversal` Severity: `Medium` date: `2026-05-07`

Prediction: `2.39.1 (~1 month)`

What Undercode Say:

Search for vulnerable function calls in the codebase
grep -r "filepath.Clean(filepath.Join" ./api/archive/
Reproduce the path traversal locally
mkdir -p test_restore
echo "malicious" > payload.txt
tar -czf evil.tar.gz -C /tmp ../../etc/cron.d/evil (illustrative)
Upload evil.tar.gz to /api/restore and observe file written outside test_restore/

Exploit:

Crafted `.tar.gz` with entries like `../../etc/cron.d/backdoor` → extracted outside intended directory → arbitrary file write (e.g., cron job, SSH authorized_keys).

Protection:

Upgrade to Portainer ≥2.39.0 or apply backport ≥2.33.8.

Use encrypted backups (passphrase required before extraction).

Validate all paths against a whitelist after cleaning.

Impact:

Arbitrary file write → host persistence (cron, SSH keys) or config tampering. Limited by need for admin privileges.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top