Portainer CE — Docker plugin endpoints not registered in proxy authorization handler; non-admin can install/enable plugins → root host execution (CVSS 9.4)

Portainer shipped CE 2.33.8 / 2.39.2 / 2.41.0 on 2026-05-28 closing two CVSS 9.4 authorization bypasses; CCB Belgium issued a "Patch Immediately" advisory on the same day. CVE-2026-44848 (GHSA-rrmm-9v76-h3p4) — the Docker plugin-management endpoints (/plugins/*) are not registered in Portainer's proxy-authorization handler map, so any authenticated non-admin user with endpoint access can POST /plugins/pull to install a plugin from any registry and POST /plugins/{name}/enable to activate it; Docker runs enabled plugins as root on the host with the plugin's declared capabilities and mounts, giving OS-level code execution. CVE-2026-44849 (GHSA-5fxq-qcf3-244w) — Portainer's seven EndpointSecuritySettings restrictions (privileged mode, host PID, device mapping, capabilities, sysctls, security-opt, bind mounts) are enforced on the standard container-create path but not on the Docker Swarm service API; POST /services/create validates only Mounts[] (1 of 7 checks), and POST /services/{id}/update performs no checks at all. Non-admin users can submit arbitrary CapabilityAdd, Sysctls and Privileges values; a volume-driver bypass additionally allows bind-mount equivalents via Type: volume with VolumeOptions.DriverConfig.Options{type: none, o: bind}. Affected: CE 2.33.0–2.33.7, 2.39.0–2.39.1, 2.40.x. Temporary mitigation: revoke Swarm endpoint access for non-admin users via Portainer RBAC, disable plugin management for non-admin users.